NYDFS Cybersecurity Regulations and Compliance Guidance
On November 1, 2023, the New York State Department of Financial Services (NYDFS) amended its cybersecurity regulation, 23 NYCRR 500 (or Part 500). NYDFS has published guidance on the implementation timeline for key compliance dates for the various categories of entities impacted (including Small Businesses, Class A Companies and Covered Entities). In addition, NYDFS has published training materials and FAQs regarding the new requirements.
As of December 1, 2023, Small Businesses, Class A Companies, and Covered Entities were required to report cyber incidents, including ransomware attacks, to NYDFS.
The next major deadline is April 15, 2024, for compliance with section 500.17(b) of amended Part 500. This requires all companies to submit a Certification of Material Compliance or Acknowledgment of Noncompliance to the NYDFS. NYDFS has provided in its FAQs that if a “Covered Entity cannot certify that it was in material compliance with the Cybersecurity Regulation for the prior calendar year, it must file a written Acknowledgment of Noncompliance which (1) acknowledges that the Covered Entity did not materially comply with all the requirements applicable to it; (2) identifies all sections of Part 500 that the Covered Entity has not materially complied with; (3) describes the nature and extent of such noncompliance; and (4) provides a remediation timeline or confirmation that remediation has been completed. 500.17(b).”
By April 29, 2024, Covered Entities and Class A Companies must comply with most of the provisions under amended Part 500 (e.g., 500.2(c); 500.3; 500.5(a)(1), (b), and (c); 500.9; and 500.14(a)(3)). This includes updating their internal risk assessments, which they must continue to do at least annually or whenever a change in operations or technology causes a material change to the business’s cyber risk. In addition, they must comply with certain testing, monitoring, training and audit requirements.
Under the amended Part 500, material compliance does not require absolute compliance. However, it does require entities to take a risk-based approach to assess their compliance needs and conduct an overall gap analysis of their current cybersecurity programs to comply with the amendments under Part 500.