Insights

2301403  Social

NYDFS Expands Cybersecurity Regulations: Extortion Payment Reporting, Corporate Governance, and Technical Requirements

A major amendment to the New York State Department of Financial Services' cybersecurity regulations establishes affirmative cybersecurity oversight duties and requires companies to report extortion payments to the agency.

On November 1, the NYDFS adopted the first substantial amendment to its cybersecurity regulations, 23 NYCRR 500, since their issuance in 2017. These regulations apply, with limited exemptions, to businesses authorized to operate under New York's Banking Law, Insurance Law, or Financial Services Law. 

Key changes include: 

  • Extortion Payment Reporting. Covered entities must notify NYDFS within 24 hours of making an extortion payment and then provide a written description within 30 days detailing the payment's necessity, alternatives considered, and all relevant diligence performed. 
  • Corporate Governance Obligations. A covered entity's senior governing body must oversee cybersecurity risk management by having sufficient understanding of cybersecurity-related matters; regularly reviewing management reports about cybersecurity matters; and confirming that management has established a cybersecurity program and allocated sufficient resources to make it effective.
  • CISO's Duties. The Chief Information Security Officer ("CISO") must "timely" report "material" cybersecurity issues, including "significant cybersecurity events and significant changes to the covered entity's cybersecurity program," to the covered entity's senior governing body.
  • Notification ResponsibilitiesReportable cybersecurity incidents now include those occurring at a covered entity's third-party service providers.
  • Technical Safeguards. Covered entities must implement access and risk-based controls.
  • Written Policies and Procedures. Covered entities must implement written incident response and disaster recovery plans. Importantly, covered entities must also adopt IT asset management policies and procedures that include asset risk classification, risk oversight, and reporting across all IT capabilities and services.
  • Compliance Requirements. Covered entities must submit annual certifications to NYDFS attesting to "material" compliance with the regulations. If an entity is noncompliant, then it must identify the noncompliance and provide a remediation timeline.

Covered entities that generated at least $20,000,000 in gross annual revenue from New York over the past two years and had either (1) over 2,000 employees, or (2) over $1,000,000,000 in gross annual revenue during that period, must implement additional technical safeguards and conduct annual independent audits of their cybersecurity programs. 

With some exceptions, covered entities have until April 29, 2024, to comply with the new requirements. Covered entities must comply with the amendment's cybersecurity incident and extortion payment notification requirements by December 1, 2023.

Insights by Jones Day should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request permission to reprint or reuse any of our Insights, please use our “Contact Us” form, which can be found on our website at www.jonesday.com. This Insight is not intended to create, and neither publication nor receipt of it constitutes, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.