NYDFS Expands Cybersecurity Regulations: Extortion Payment Reporting, Corporate Governance, and Technical Requirements
A major amendment to the New York State Department of Financial Services' cybersecurity regulations establishes affirmative cybersecurity oversight duties and requires companies to report extortion payments to the agency.
On November 1, the NYDFS adopted the first substantial amendment to its cybersecurity regulations, 23 NYCRR 500, since their issuance in 2017. These regulations apply, with limited exemptions, to businesses authorized to operate under New York's Banking Law, Insurance Law, or Financial Services Law.
Key changes include:
- Extortion Payment Reporting. Covered entities must notify NYDFS within 24 hours of making an extortion payment and then provide a written description within 30 days detailing the payment's necessity, alternatives considered, and all relevant diligence performed.
- Corporate Governance Obligations. A covered entity's senior governing body must oversee cybersecurity risk management by having sufficient understanding of cybersecurity-related matters; regularly reviewing management reports about cybersecurity matters; and confirming that management has established a cybersecurity program and allocated sufficient resources to make it effective.
- CISO's Duties. The Chief Information Security Officer ("CISO") must "timely" report "material" cybersecurity issues, including "significant cybersecurity events and significant changes to the covered entity's cybersecurity program," to the covered entity's senior governing body.
- Notification Responsibilities. Reportable cybersecurity incidents now include those occurring at a covered entity's third-party service providers.
- Technical Safeguards. Covered entities must implement access and risk-based controls.
- Written Policies and Procedures. Covered entities must implement written incident response and disaster recovery plans. Importantly, covered entities must also adopt IT asset management policies and procedures that include asset risk classification, risk oversight, and reporting across all IT capabilities and services.
- Compliance Requirements. Covered entities must submit annual certifications to NYDFS attesting to "material" compliance with the regulations. If an entity is noncompliant, then it must identify the noncompliance and provide a remediation timeline.
Covered entities that generated at least $20,000,000 in gross annual revenue from New York over the past two years and had either (1) over 2,000 employees, or (2) over $1,000,000,000 in gross annual revenue during that period, must implement additional technical safeguards and conduct annual independent audits of their cybersecurity programs.
With some exceptions, covered entities have until April 29, 2024, to comply with the new requirements. Covered entities must comply with the amendment's cybersecurity incident and extortion payment notification requirements by December 1, 2023.