On November 1, 2023, the New York State Department of Financial Services (NYDFS) announced the amendments to its initial cybersecurity regulation, 23 New York Codes, Rules and Regulations (NYCRR) 5001. The purpose of the NYDFS 23 NYCRR 500 is to protect financial services companies and their customers from ever-growing cybersecurity threats. The regulation is applicable to banks, insurance companies, New York State-licensed branches, and agencies of non-US banks, and all other financial services companies that are supervised by the NYDFS. The objective of the amendment update is to address new threats from cybersecurity attacks using sophisticated technologies. The proposed amendment has introduced the concept of Class A companies, which will be required to follow more stringent requirements.
The amendment states2: “Class A companies mean those covered entities with at least $20,000,000 in gross annual revenue in each of the last two fiscal years from business operations of the covered entity and its affiliates in this State and (1) over 2,000 employees averaged over the last two fiscal years, including those of both the covered entity and all of its affiliates no matter where located; or (2) over $1,000,000,000 in gross annual revenue in each of the last two fiscal years from all business operations of the covered entity and all of its affiliates.”
The 23 NYCRR 500 rule requires that each entity assess its cybersecurity risk profile and develop a robust program to address cybersecurity risks. The key amendments to the regulations include:
In today’s world, cybersecurity has become more critical than ever before. As regulators seek to outmaneuver the cybersecurity threats by introducing new regulations or amendments to the existing regulations, the growth of digital technologies is introducing new challenges. With the advent of artificial intelligence, big data, cloud infrastructure, and an expanding digital universe more generally with its inherent omnipresent opportunities and risks, the complexity of managing cybersecurity risks will only increase. The key to success is to treat cybersecurity as a critical leadership and management issue rather than only a technology or information security requirement.
Guidehouse has assisted numerous clients in assessing their cybersecurity and operationalizing compliance requirements using regulations, standards, and guidance issued by cybersecurity authorities and global data privacy regulations. We have supported our clients by:
Guidehouse is a global advisory, technology, and managed services firm delivering value to commercial businesses and federal, state, and local governments. Serving industries focused on communities, energy, infrastructure, healthcare, financial services, defense, and national security, Guidehouse positions clients for AI-led innovation, efficiency, and resilience.