NYDFS Announces Second Amendment to Cybersecurity Regulations

by Tom Strickland, Principal and Robert Gaines, Director

Last month, the New York State Department of Financial Services (NYDFS) released a second amendment to its cybersecurity regulation 23 NYCRR Part 500. Given the risks posed by cybercriminals, the amendment expands cybersecurity requirements for financial services companies across many areas—from governance through incident response and access controls. This amendment is the first major adjustment to the NYDFS cybersecurity regulations since its implementation in 2017.

These changes include:

• New requirements and exemptions based on company size
• Policies and procedures
• Incident response and reporting
• Vulnerability scanning, penetration testing and validation
• Access management

New Requirements and Exemptions Based on Company Size

The amendment places additional qualifications on larger companies, specifically what NYDFS calls a “Class A company,” which is a covered entity with at least $20 million in gross annual revenue from business operations in New York and either (1) more than 2,000 employees in total; or (2) over $1 billion in gross annual revenue from business operations in all states. These requirements include:

• Performance of “independent audits” of the cybersecurity program based on the company’s risk assessment, eliminating the annual audit requirement.
• Execution of a privileged access management solution.
• Implementation of strong requirements for information system accounts.
• Enactment of an endpoint detection and response solution.
• Implementation of centralized logging and security event alerting.

The company’s chief information security officer (CISO) may approve equivalent compensating controls.

With respect to companies not classified as Class A, exemptions for the regulations’ requirements have been raised, increasing the threshold from 10 to 20 employees and the total assets from $10 million to $15 million. The gross annual revenue threshold has been moved from $5 million to $7.5 million. To qualify, a business must have less than $7.5 million in gross annual revenue in each of the last three fiscal years from business operations, regardless of location.

Policies and Procedures

The amendment expands requirements around policies and procedures, as well as governance of the cybersecurity program. These include requirements that companies:

• Have cybersecurity policy approved by the senior officer or senior governing body at least annually. 
• Develop and implement written vulnerability management policies and procedures.
• Enforce encryption policies that encrypt data at rest and in transit over external networks.
• Monitor and filter web traffic and emails to block malicious content.
• Annually certify the program by signature of the CISO and the covered entity’s highest-ranking executive annually.
• Certify “material” compliance during the prior calendar year. Companies that cannot certify material compliance must submit a written acknowledgment of noncompliance that describes the reasons for noncompliance and the timeline for compliance remediation.

Incident Response and Reporting

The amendment requires several changes to requirements around incident response policies and procedures, specifically around reporting requirements. These include:

• Expanding the coverage of cybersecurity reportable events to include the covered entity, its affiliates or a third-party service provider if the incident impacts the covered entity.
• Ensuring that incident response plan reports include root cause analysis of the event, any business impact and prevention measures.
• Reporting any incident that results in the deployment of ransomware within a material part of the covered entity’s information systems. 
• Notifying the Department within one day if a company makes an extortion payment. Within 30 days, companies must submit a written statement explaining why the payment was necessary, what alternatives were considered and what due diligence was performed.

Vulnerability Scanning, Penetration Testing and Validation

The amendment clarifies intervals for testing and removes language around continuous monitoring or bi-annual assessments, requiring frequency to be determined by the risk assessment. Updated requirements are as follows:

• Automated vulnerability scans of information systems and a manual review of other systems at a frequency determined by the risk assessment.
• Annual penetration testing of information systems from inside and outside the systems’ boundaries.
• Annual update of the risk assessments.
• Annual testing of the incident response and business continuity and disaster recovery plans.
• Annual review of all user access privileges including removal of access or disabling unnecessary accounts.
• Annual cybersecurity awareness training, including the use of social engineering testing for end users.

One of the bigger changes that will likely impact many smaller entities is the requirement for internal and external penetration testing. Many organizations previously utilized continuous monitoring control as an alternative to penetration testing.

Access Management

The amendment outlines detailed requirements for access privileges and imposes the following requirements:

• Limit user access privileges to nonpublic information to only those necessary to perform the user’s job.
• Enforce the principle of least privilege by limiting the number of privileged accounts and access functions of those accounts to only those necessary to perform the user’s job.
• Only permit use of privileged accounts when performing functions requiring that access.
• Disable or securely configure all protocols that permit remote device control.
• Promptly terminate access after departures.
• Implement multi-factor authentication for access to information systems.

Timeline

Changes will go into effect in a phased approach from April 2024 to November 2025. NYDFS has published the following timelines to help assist organizations prepare accordingly:

• Implementation Timeline for Small Businesses
• Implementation Timeline for Class A Companies
• Implementation Timeline for Covered Entities

Contact Us

Navigating NYDFS requirements may seem daunting. The updated amendments to NYDFS regulations require material changes to the way covered entities approach cybersecurity and may have a direct impact on technology budgets and resources. PKF O’Connor Davies has subject matter experts to assist in assessing gaps, performing penetration testing and customizing implementation plans to help organizations of all sizes meet the new requirements. For assistance, reach out to your client engagement team or either of the following:

Tom Strickland, CISSP, CISA
Principal, Cybersecurity and Privacy Advisory
tstrickland@pkfod.com | 781.937.5305

Robert Gaines, CISSP, CECI, CCFI, CIPP/US
Director, Cybersecurity and Privacy Advisory
rgaines@pkfod.com | 425.518.1974