NYDFS Amended Cybersecurity Rules: Overview of Upcoming Deadlines

December 19, 2023

Reading Time : 9 min

On November 1, 2023, the New York Department of Financial Services (NYDFS) announced the adoption of amendments to its Cybersecurity Regulation 23 NYCRR Part 500 (“Amended Cybersecurity Rules” or “Amended Rules”). NYDFS adopted changes following formal notice and comment on the proposed amendments released in June 2023 (please find our piece on the proposed amendments here). NYDFS also released an “Assessment of Public Comment” describing why it adopted or rejected certain comments, providing a helpful sight into the Department’s approach to the Cybersecurity Regulation.

More Obligations for the Largest Companies

The Amended Rules create a new subcategory for large covered entities called “Class A companies.” Class A companies are covered entities with at least $20 million in gross annual revenue from its business operations and its affiliates in New York in each of the last two years, and either: (i) over 2,000 employees, including employees of its affiliates, no matter where located; or (ii) $1 billion in gross annual revenue for each of the past two fiscal years from all business operations and its affiliates no matter where located.[1] These Class A companies will now face several new cybersecurity requirements, including:

  • Independent Audits: Design and conduct audits based on its risk assessment.[2] An independent audit must be conducted by internal or external auditors free to make decisions not influenced by the Company[3];
  • Monitoring. Establish an endpoint detection and response solution for monitoring anomalous activity, including lateral movement, and a solution that centralizes logging and security event alerting;[4]
  • Privileged Access Activity. Implement a privileged access management solution along with an automated method of blocking commonly used passwords for all accounts on information systems owned or controlled by the Company (to the extent feasible).[5]

New Notification Requirements

The Amended Rules expand notifications requirements and add “cybersecurity incident” as a new defined term, to align with the terms used in other regulations. Under the original Cybersecurity Regulations, covered entities were required to notify NYDFS within 72 hours of any cybersecurity event that (1) had an impact on the covered entity and notice was required to any government body, agency or other supervisory body or (2) had a reasonable likelihood of harming a material part of normal operations. The Amended Rules add:

  • Ransomware deployed within a material part of the covered entity’s information systems[6] as an additional trigger;
  • Prompt updates to be made to the superintendent with any information requested regarding a reported incident, including providing any previously unavailable new information;[7]
  • A new 24-hour notification requirement for extortion payments connected to a cybersecurity event, that also entails submitting a written description within 30 days describing why payment was necessary, alternatives considered, and sanctions diligence conducted.[8]

Additional Governance Provisions

Although the original Cybersecurity Regulations featured many governance requirements for cybersecurity policies, the Amended Rules introduce enhanced obligations:

  • Enhanced Reporting to the Board: Additional reporting by the CISO on “plans for remediating material inadequacies” and requirement to “timely” report “material cybersecurity issues such as significant cybersecurity events or significant changes made to the cybersecurity program.”[9]
  • Executive Annual Certifications: The required annual certification of compliance must now be signed by the highest-ranking executive of the covered entity and its CISO, instead of the senior officer as was originally required.[10]
  • Certification of Compliance for Prior Year: The covered entity must now certify that it “materially complied” with the Cybersecurity Rule requirements “during the prior calendar year” and must be based on data and documentation sufficient to accurately determine and demonstrate this material compliance.[11]
  • Acknowledgement of Noncompliance: In the event the CISO and highest-ranking executive cannot certify compliance, the Amended Rules require written acknowledgement that: (i) the entity did not materially comply, (ii) identify the sections that the covered entity did not comply with while describing the nature and extent of the noncompliance, and (3) provide a remediation timeline or confirmation that remediation has been completed.[12]
  • Tabletop Testing: New annual tests requirements of incident response and business continuity and disaster recovery (BCDR) plan with all critical staff and management. The Amended Rules also require annual tests of the covered entity’s ability to restore its critical data and systems from backups.[13]

New Incident Response Requirements

Covered entities face some new requirements for their incident response plans under the Amended Rules. These incident response plans must be reasonably designed for prompt response to and recovery from any cybersecurity event that materially affects the confidentiality, integrity or availability of a covered entity’s information systems or the continuing functionality of “any aspect of the covered entity’s business or operations.”[14] Covered entities’ incident response plans must now address both recovery from backups and “root cause analysis” under the Amended Rules. Root cause analysis must describe the details of how and why the event occurred, the business impact of the event and what will be done to prevent a repeat of the event.[15] 

Business Continuity Plan Requirements

The Amended Rules add new obligations for covered entities regarding business continuity plans. The previously mentioned BCDR plans are now required for covered entities, to ensure covered entities’ information systems and material services remain available and functional in the event of a cybersecurity disruption.

BCDR plans must:

  1. Identify documents, data, facilities, infrastructure, services, personnel and competencies essential to the continued operations of the covered entity’s business;
  2. Identify supervisory personnel responsible for implementing the BCDR plan;
  3. Have a plan to communicate with essential persons in the event of a cybersecurity-related disruption;
  4. Include procedures for the timely recovery of critical data and information systems and to resume operations as soon as reasonably possible;
  5. Include procedures for backing up information essential to the operations of the covered entity and storing such information off-site; and
  6. Identify third parties that are necessary to the continued operations of the covered entity’s information systems.[16]

Revamped Risk Assessments

The definition of “risk assessment” was expanded to cover “the process of identifying, estimating and prioritizing cybersecurity risks to organizational operations (including mission functions, image and reputation), organizational assets, individuals, customers, consumers, other organizations and critical infrastructure resulting from the operation of an information system. Risk assessments incorporate threat and vulnerability analyses and consider mitigations provided by security controls planned or in place.”[17]  Risk assessments are now required to be reviewed and updated at a minimum annually and whenever a material change in the business or technology causes a material change to the covered entity’s cyber risk.[18]

More Access Controls & Technical Controls

The original Cybersecurity Regulations required covered entities to establish policies and procedures for periodically disposing of nonpublic information, as well as limiting access privileges for users on information systems that provide access to nonpublic information. The Amended Rules establish additional controls for user access and retention, as well as technical requirements, including:

  • Multifactor Authentication: Multifactor authentication (MFA) is required for “any individual accessing any information system of a covered entity.”[19] The Amended Rules removed “text message on a mobile phone” from the list of permitted MFA authentication factors.[20]
  • Defense Against Malicious Code: Covered entities must enact risk-based controls to protect against malicious code, including monitoring controls and web traffic filtering.[21]
  • Mandatory Encryption: The Amended Rules removed the option for covered entities to use “effective alternative compensating controls” instead of encryption for nonpublic information in transit over external networks.[22]
  • Vulnerability Assessments: For managing vulnerabilities, the Amended Rules require (i) annual penetration testing by a qualified external party; (ii) automated scans of information systems and a manual review of systems not covered by such scans to discover, analyze and report vulnerabilities at a frequency determined by the risk assessment; (iii) prompt informing of the covered entity on new vulnerabilities and having a monitoring process and (iv) timely remediation of vulnerabilities with priority given based on the risk the pose.[23]
  • Asset Management & Data Retention: The Amended Rules require covered entities to implement policies and procedures designed to maintain a complete and accurate asset inventory of their information systems. These policies must include a method to track key information for assets, such as owner, location and classification or sensitivity. The policies must also include the frequency required to update and validate the covered entity’s asset inventory.[24]
  • Access Privileges and Management: Under the Amended Rules, covered entities are required to (i) limit user access privileges to nonpublic information systems to only those necessary to perform the user’s job; (ii) limit the number and use of privileged accounts and limit access functions; (iii) review all use access privileges at least annually; (iv) review all user access privileges and remove unnecessary access at least annually; (v) disable or securely configure protocols that permit remote control of devices and (vi) promptly terminate access following departures.[25] The Amended Rules have redefined “privileged account” as “any authorized user account or service account that can be used to perform security-relevant functions that ordinary users are not authorized to perform, including but not limited to the ability to add, change or remove other accounts, or make configuration changes to information systems.”[26] The Amended Rules also require covered entities to implement a written password policy, to the extent passwords are employed, that meets industry standards.[27]

New Enforcement Provisions

Notably, under the Amended Rules, the commission of a single prohibited act, or the failure to satisfy an obligation, constitutes a violation. These failures can include:

  1. Failure to prevent unauthorized access to nonpublic information due to noncompliance with any section; or
  2. A material failure to comply for any 24-hour period with any section.[28]

The NYDFS also included a list of mitigating factors in the Amended Rules that it will consider when assessing penalties, including but not limited to:

  • Cooperation during the investigation, good faith, history of prior violations,
  • Whether the act was intentional, whether accurate and timely disclosures were made,
  • The extent of harm to customers, gravity of the violation, number of violations,
  • The participation of senior governing body, penalties imposed by other regulators.[29]


Please see the table below for a timeline of when new provisions of the Amended Cybersecurity Rules will become effective:

Timeline of NYDFS Amended Cyber Rules Requirements

December 1, 2023

Notification obligations to NYDFS (500.17)

April 15, 2024

Certification requirements (500.17(b))

April 29, 2024

Risk assessment requirements (500.9)

Cybersecurity policy requirements (500.3)

Penetration testing and monitoring requirements (500.5(a)(1), (b), and (c))

Training requirements (500.14(a)(3))

For Class A companies, audit requirements (500.2(c))

November 1, 2024

CISO, management, and board governance requirements (500.4)

Encryption requirements (500.15)

Incident response and business continuity planning and testing requirements (500.16)

May 1, 2025

Scanning requirements (500.5(a)(2))

Access privilege and password requirements (500.7)

Requirements for protection against malicious code (500.14(a)(2))

For Class A companies, requirements relating to privileged access management solutions and blocking of commonly used passwords (500.7)

For Class A companies, requirements for endpoint detection and response solutions and centralized logging (500.14(a)(2) and (b))

November 1, 2025

MFA requirements (500.12)

Asset inventory requirements (500.13(a))

To assist impacted businesses with keeping track of important compliance dates, NYDFS published Cybersecurity Implementation Timelines for small businessesClass A businesses, and covered entities, and announced that it will host webinars to assist regulated entities with compliance.

Please contact a member of Akin’s cybersecurity, privacy and data protection team if you have any questions about these amendments or how they will affect your company.


[1] 23 NYCRR § 500.1(d), when determining the number of employees and the gross annual revenue, the term “affiliates” should include “only those that share information systems, cybersecurity resources, or all or any part of a cybersecurity program with the covered entity.”

[2] Id. at 500.2(c).

[3] Id. at 500.1(h).

[4] Id. at 500.14(b).

[5] Id. at 500.7(c) Alternatively, the covered entity’s CISO may instead approve in writing at least annually the infeasibility and the use of reasonably equivalent or more secure compensating controls.

[6] Id. at 500.1(g).

[7] Id. at 500.17(a)(2).

[8] Id. at 500.17(c) this includes applicable rules from the Office of Foreign Assets Control (OFAC).

[9] Id. at 500.4(b), (c).

[10] Id. at 500.17(b).

[11] Id. at 500.17(b)(1) This can include documentation from officers, employees, representatives, outside vendors and other individuals or entities, as well as reports, certifications and schedules.

[12] Id. at 500.17(b)(1)(ii).

[13] Id. at 500.16(d).

[14] Id. at 500.16(a)(1).

[15] Id.  

[16] Id. at 500.16(a)(2).

[17] Id. at 500.1(p).

[18] Id. at 500.9(a).

[19] Id. at 500.12(a), (b), there are limited exceptions to this requirement for small entities, and the CISO may approve use of reasonably equivalent or more secure compensating controls, to be reviewed annually at a minimum.

[20] Id. at 500.1(j).

[21] Id. at 500.14(a)(2).

[22] Id. at 500.15(a).

[23] Id. at 500.5(a-c).

[24] Id. at 500.13(a).

[25] Id. at 500.7(a).

[26] Id. at 500.1(n).

[27] Id. at 500.7(b).

[28] Id. at 500.20(b).

[29] Id. at 500.20(c).

Share This Insight

Previous Entries

Data Dive

November 19, 2024

The European Union’s AI Office published the inaugural General-Purpose AI Code of Practice on November 14, 2024. The Code is intended to assist providers of AI models in their preparations for compliance with the forthcoming EU AI Act, to be enforced from August 2, 2025. The Code is designed to be both forward-thinking and globally applicable, addressing the areas of transparency, risk evaluation, technical safeguards and governance. While adherence to the Code is not mandatory, it is anticipated to serve as a means of demonstrating compliance with the obligations under the EU AI Act. Following a consultation period that garnered approximately 430 responses, the AI Office will be empowered to apply these rules, with penalties for nonconformity potentially reaching 3% of worldwide turnover or €15 million. Three additional iterations of the Code are anticipated to be produced within the coming five months.

...

Read More

Data Dive

November 15, 2024

On October 29, 2024, the DOJ issued a proposed rule prohibiting and restricting certain transactions that could allow persons from countries of concern, such as China, access to bulk sensitive personal data of U.S. citizens or to U.S. government-related data (regardless of volume).

...

Read More

Data Dive

October 17, 2024

During the course of any lending transaction, lenders will conduct a due diligence review of the borrower, including reviewing any relevant “know-your-customer” information.

...

Read More

Data Dive

September 17, 2024

Following the publication of the European Union’s Artificial Intelligence Act (AI Act or Act) on 12 July 2024, there are now a series of steps that various EU bodies need to take towards implementation. One of the first key steps is in relation to the establishment of codes of practice to “contribute to the proper application” of the AI Act.

...

Read More

Data Dive

August 6, 2024

On July 30, 2024, the Senate passed the Kids Online Safety and Privacy Act (S. 2073) via an overwhelmingly bipartisan vote of 91-3 shortly before departing for the August recess.

...

Read More

Data Dive

July 18, 2024

On 12 July 2024, the European Union Artificial Intelligence Act (AI Act or Act) was published in the Official Journal of the European Union (EU), marking the final step in the AI Act’s legislative journey. Its publication triggers the timeline for the entry into force of the myriad obligations under the AI Act, along with the deadlines we set out below. The requirement to ensure a sufficient level of AI literacy of staff dealing with the operation and use of AI systems will, for example, apply to all providers and deployers on 2 February 2025.

...

Read More

Data Dive

July 18, 2024

On June 18, 2024, the United States Securities and Exchange Commission (SEC) announced a settlement with R.R. Donnelley & Sons Company (RRD) for alleged internal control and disclosure failures following a ransomware attack in 2021. Without admitting or denying the SEC’s findings, the business communications and marketing services provider agreed to pay a civil penalty of over $2.1 million to settle charges alleging violations of Section 13(b)(2)(B) of the Securities Exchange Act of 1934 (Exchange Act) and Exchange Act Rule 13a-15(a).1

...

Read More

Data Dive

June 11, 2024

In May, the National Institute of Standards and Technology (NIST) issued updated recommendations for security controls for controlled unclassified information (CUI) that is processed, stored or transmitted by nonfederal organizations using nonfederal systems, (NIST Special Publication 800-171 (SP 800-171), Revision 3). These security requirements are “intended for use by federal agencies in contractual vehicles or other agreements that are established between those agencies and nonfederal organizations.”1 While these new controls are only applicable to nonfederal entities that agree to comply with the new issuance, Revision 3 signals the next phase of expected security for government contractors.

...

Read More

© 2024 Akin Gump Strauss Hauer & Feld LLP. All rights reserved. Attorney advertising. This document is distributed for informational use only; it does not constitute legal advice and should not be used as such. Prior results do not guarantee a similar outcome. Akin is the practicing name of Akin Gump LLP, a New York limited liability partnership authorized and regulated by the Solicitors Regulation Authority under number 267321. A list of the partners is available for inspection at Eighth Floor, Ten Bishops Square, London E1 6EG. For more information about Akin Gump LLP, Akin Gump Strauss Hauer & Feld LLP and other associated entities under which the Akin Gump network operates worldwide, please see our Legal Notices page.