ARTICLE
17 April 2024

Key Deadlines Approaching Under NYDFS Cybersecurity Regulations

McDonald Hopkins

Contributor

McDonald Hopkins
Back in November, we wrote about publication of the final amendment to the New York Department of Financial Services (NYDFS or Department) cybersecurity regulation...
United States Technology
To print this article, all you need is to be registered or login on Mondaq.com.

Back in November, we wrote about publication of the final amendment to the New York Department of Financial Services (NYDFS or Department) cybersecurity regulation, 23 NYCRR §§ 500.0—500.24, or Part 500. Now that April is upon us, a major compliance deadline is approaching, and several new provisions of the November 2023 Amended are set to take effect.

If not already underway, covered entities should immediately initiate a review of their cybersecurity program to determine any potential shortcomings and areas of improvement. Below is a reminder of the new requirements and when they take effect.

Who is covered by the NYDFS Cybersecurity Regulation?

The NYDFS Cybersecurity Regulation covers any organization that is licensed or regulated by the Department. This includes a wide swath of financial institutions that operate in New York, including state-chartered banks, licensed lenders, private bankers, mortgage companies, insurance companies, and foreign banks.

The Regulation exempts organizations with under 10 employees, less than $5 M in gross annual revenue for the past three years, or with less than $10 million in year-end total assets. NYDFS maintains a helpful "Am I Exempt" flowchart on their website to assist small entities to determine whether they are covered or exempt.

Annual compliance submissions due April 15, 2024

From the initial adoption of the NYDFS Cybersecurity Regulation, covered entities have been required to submit an annual notice of compliance with the Department by April 15. The November 2023 Amendment kept this requirement, but provided more detail regarding the method of providing the notice of compliance and the information to be included in this certification. All covered entities should ensure their notice of compliance is filed by Monday, April 15, 2024.

New requirements effective April 29, 2024

Oversight and Governance: The Cybersecurity Regulation requires certain actions of the covered entity's Chief Information Security Officer (CISO) and "Senior Governing Body." For example, the CISO must report to senior leadership regarding "material cybersecurity issues" and changes to the entity's cybersecurity posture. The Senior Governing Body is required to oversee and monitor the organizations' cybersecurity program, which involves ensuring the entity has employees with sufficient knowledge and expertise to implement the program.

Cybersecurity Awareness Training: The Cybersecurity Regulation specifies that entities must provide cybersecurity awareness training to employees at least annually, and that the training cover "social engineering."

Risk Assessments: The Cybersecurity Regulation instituted enhanced risk amendment standards. Additionally, the Regulation makes clear that the organization's risk assessment must be reviewed and updated annually and "whenever a change in the business or technology causes a material change to the covered entity's cyber risk."

Vulnerability Management: The Cybersecurity Regulation requires entities to annually conduct penetration testing from both inside and outside the boundaries of information systems, and a manual or automated review of all information systems for the purpose of identifying and remediating any vulnerabilities.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

ARTICLE
17 April 2024

Key Deadlines Approaching Under NYDFS Cybersecurity Regulations

United States Technology

Contributor

McDonald Hopkins
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More