NYDFS Announces Updated Cybersecurity Regulation

On November 1, 2023, the New York State Department of Financial Services (NYDFS) announced the amendments to its initial cybersecurity regulation, 23 New York Codes, Rules and Regulations (NYCRR) 500¹.  The purpose of the NYDFS 23 NYCRR 500 is to protect financial services companies and their customers from ever-growing cybersecurity threats. The regulation is applicable to banks, insurance companies, New York State-licensed branches, and agencies of non-US banks, and all other financial services companies that are supervised by the NYDFS. The objective of the amendment update is to address new threats from cybersecurity attacks using sophisticated technologies. The proposed amendment has introduced the concept of Class A companies, which will be required to follow more stringent requirements.

The amendment states²: “Class A companies mean those covered entities with at least $20,000,000 in gross annual revenue in each of the last two fiscal years from business operations of the covered entity and its affiliates in this State and (1) over 2,000 employees averaged over the last two fiscal years, including those of both the covered entity and all of its affiliates no matter where located; or (2) over $1,000,000,000 in gross annual revenue in each of the last two fiscal years from all business operations of the covered entity and all of its affiliates.”  

Changes to the Key Cybersecurity Requirements

The 23 NYCRR 500 rule requires that each entity assess its cybersecurity risk profile and develop a robust program to address cybersecurity risks. The key amendments to the regulations include:

• Cybersecurity Program: Class A companies must conduct an independent audits of its own cybersecurity program based on its risk assessment.
• Cybersecurity Governance: Cybersecurity Governance: The proposed amendment further delineates the roles and responsibilities of the chief information security officer (CISO). “Senior governing body means the board of directors (or an appropriate committee thereof) or equivalent governing body or, if neither of those exist, the senior officer or officers of a covered entity responsible for the covered entity’s cybersecurity program.³” The CISO and executive management or its delegate is responsible for developing and implementing and maintaining the cybersecurity program while the senior governing body will exercise oversight over the program. Additionally, the CISO needs to report material cybersecurity issues to the senior governing body. 
• Vulnerability Management: Organizations need to conduct both internal and external penetration testing at least annually. Additionally, organizations need to perform automated and manual scans of the information systems to identify vulnerabilities. The amendment has also suggested risk-based prioritization of the identified vulnerabilities for remediation.
• Access Privileges and Management: Organizations need to limit the number of privileged accounts with access to nonpublic information and also limit the access functionalities of those accounts based on job requirements. Additionally, the privileged accounts need to be reviewed at least annually. It has also introduced new control requirements related to user access review, account monitoring, and password standards.
• Asset Management and Data Retention Requirements: Organizations need to maintain an accurate and documented inventory of information assets with the following key information: (i) owner, (ii) location, (iii) classification or sensitivity, (iv) support expiration date, and (v) recovery time objectives. 
• Monitoring and Training: Class A companies need to implement an endpoint detection and response solution to monitor anomalous activity. Additionally, the amendment emphasizes the training requirements for employees.
• Incident Response and Business Continuity Management: The amendment has introduced detailed requirements for Business Continuity and Disaster Recovery. It has also enhanced the requirements related to incident response plans.

Conclusion

In today’s world, cybersecurity has become more critical than ever before. As regulators seek to outmaneuver the cybersecurity threats by introducing new regulations or amendments to the existing regulations, the growth of digital technologies is introducing new challenges. With the advent of artificial intelligence, big data,  cloud infrastructure, and an expanding digital universe more generally with its inherent omnipresent opportunities and risks, the complexity of managing cybersecurity risks will only increase. The key to success is to treat cybersecurity as a critical leadership and management issue rather than only a technology or information security requirement.

How Guidehouse Can Help

Guidehouse has assisted numerous clients in assessing their cybersecurity and operationalizing compliance requirements using regulations, standards, and guidance issued by cybersecurity authorities and global data privacy regulations. We have supported our clients by:

• Conducting assessments of the current state of an organization’s cybersecurity posture and developing a roadmap to achieve compliance with cybersecurity regulations and standards
• Assisting with the implementation of a cybersecurity program that is technologically sound and sustainable, including designing and documenting policies, procedures, and the control environment
• Conducting assessments to ensure design adequacy and operating effectiveness of the cybersecurity controls
• Designing and building cybersecurity resiliency programs
• Providing executive support, including CISO as a Service