Skip to main content

Clifford Chance

Clifford Chance
Cyber<br />

Cyber

Talking Tech

New Amendment to New York's Cybersecurity Requirements for Financial Services Companies: a Call to Swift and Urgent Action

Cyber Security Fintech Banking & Finance 6 December 2023

On November 1, 2023, the New York State Department of Financial Services (DFS) announced an amendment to its cybersecurity requirements for financial services companies, 23 NYCRR Part 500. 

The Regulation, originally issued on March 1, 2017, contained requirements relating to DFS-regulated entities' cybersecurity programs, policies, governance, vulnerability management, and incident response.  It was amended in April 2020 to change the date of the annual certification filing from February 15 to April 15.

In the years since, threats to information and financial systems have changed dramatically, with increasing sophistication, range and prevalence of threat actors and cyberattacks, and a continuing evolution of cybersecurity programs and tools.  DFS has monitored these developments and seeks to address them through regulatory minimum standards and requirements in the new amendment.  

What are the new requirements?

The new amendment seeks to protect New York businesses and consumers from cyber incidents by integrating cybersecurity into regulated entities' risk management, business planning and decision making.  Among other cybersecurity mandates, the amendment contains:

  • Expanded risk management obligations: They apply to an entity's board of directors or a similar body, and include sufficient cybersecurity expertise to exercise oversight, confirmation that management has sufficient resources for and maintains an effective cybersecurity program, and regular review of cybersecurity-related reports.  These requirements are bolstered by added obligations for the Chief Information Security Officer (CISO) to timely report to the board on material cybersecurity issues.
  • New notices mandates: These require incident notification in a specific format, and ongoing collaboration with the superintendent, including provision of requested, new, and material information; expanded annual certification and acknowledgment forms, to be signed by an entity's highest-ranking executive and its CISO; and a new notice and explanation mandate regarding extortion payments.
  • Specific rules for "class A companies": These include entities with a gross annual revenue of at least $20 million in each of the last two fiscal years from all business operations of the entity and the business operations in New York of the entity’s affiliates and (i) over 2,000 employees averaged over the last two fiscal years, or (ii) more than $1 billion in gross revenue in each of the last two fiscal years from all operations of the entity and its affiliates.
  • A significantly expanded enforcement section:  The commission of a single act prohibited by the amended Regulation, or the failure to comply with any portion of the amended Regulation, constitutes a violation. DFS will consider various mitigating factors, including, e.g., good faith, history of prior violations, extent of harm to consumers, and gravity of the violation.

Additionally there are a range of expanded cybersecurity measures and controls, including:

  • Updated incident response plan requirements and new business continuity and disaster recovery plan requirements, which are tested annually.
  • Expanded cybersecurity policy mandates, including relating to data retention, remote access, and vulnerability management, to be approved annually.  
  • Expanded cybersecurity monitoring and training expectations for risk-based controls and an annual cybersecurity awareness training that includes social engineering.
  • More robust requirements around vulnerability management, including expanded penetration testing mandates, automated system scans and timely remediation.
  • Detailed new provisions on access privileges, to be reviewed annually.
  • Procedures around maintaining a robust asset inventory, which includes a method to track key information for each asset.
  • Multi-factor authentication requirements for remote access to information systems, third-party applications, and privileged accounts other than service accounts that prohibit interactive login.

Who is covered?

The amended Regulation applies to any person, including a partnership, corporation, or association, "operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law," regardless of whether the entity is also regulated by another government agency.

When does the amended Regulation take effect?

The new compliance requirements will take effect in phases.  Generally, covered entities have until April 29, 2024, to come into compliance. Changes to reporting requirements take effect on December 1, 2023.  For certain enumerated requirements, covered entities have up to one year, 18 months, or two years from November 1, 2023, to come into compliance.  DFS' Resource Center contains helpful materials, including training resources and implementation timelines.