Review of NYDFS Cybersecurity Regulations Proposed Changes
November 14, 2023
On July 29, 2022, the New York Department of Financial Services (NYDFS) released pre-proposed amendments to its Cybersecurity Regulation, 23 NYCRR Part 500, for a 10-day comment period. After receiving feedback on the pre-proposal, NYDFS published the official proposed amendments on Nov. 9, 2022, with a 60-day comment period. On June 28, 2023, NYDFS issued another round of proposed amendments with a 45-day comment period.
The fact that NYDFS has issued three rounds of proposals illustrates how extensive these changes are expected to be.
Several significant changes are included in the proposed amendments, but this article focuses only on those related to a “covered entity’s” (defined below) obligation to notify NYDFS of certain “cybersecurity events” (also defined below) as provided in Section 500.17.
Currently, covered entities must notify NYDFS as promptly as possible but no later than 72 hours from determining the occurrence of a cybersecurity event that falls into either of the following two scenarios:
- A cybersecurity event that impacts the covered entity and requires notice to any government body, self-regulatory agency, or any other supervisory body; or
- A cybersecurity event that is reasonably likely to materially harm a material part of the covered entity’s normal operations.
The latest proposed amendments include the following additional notice obligations:
- A cybersecurity event where an unauthorized user gained access to a privileged account would require notice.
- A cybersecurity event where ransomware is deployed within a material portion of a covered entity’s information system would also require notice.
- NYDFS added language clarifying that notice would be required when any of the above cybersecurity events occur at the covered entity or its affiliate or service provider.
- If NYDFS requests additional information, covered entities would have 1) to provide it promptly, and 2) a continuing obligation to update and supplement it.
- If a covered entity is involved in a cybersecurity event where a ransom or extortion payment is made, the covered entity would have to provide NYDFS electronically 1) within 24 hours of the payment, notice of the payment, and 2) within 30 days of the payment, an explanation of why the payment was necessary and other information (such as all diligence that was performed to ensure compliance with applicable rules and regulations, including those by OFAC).
Referenced Definitions from Latest Proposal (Additions Underlined, Deletions Bracketed)
- Covered Entity means any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law, regardless of whether the covered entity is also regulated by other government agencies.
- Cybersecurity Event means any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or information stored on such Information System.
- Information System means a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information, as well as any specialized system such as industrial/process controls systems, telephone switching and private branch exchange systems, and environmental control systems.
- Person means any individual or [any non-governmental] entity, including but not limited to any [non- governmental] partnership, corporation, branch, agency or association.
Key Takeaways
The proposed amendments would significantly expand the categories of cybersecurity events requiring notice to NYDFS by covered entities. As currently proposed, such notice could include some events that do not materially impact the covered entity. The expansion of the notice obligations may provide significant challenges and exposure for covered entities, particularly when combined with (although not covered in this article) the expansion of the penalty provisions and certification requirements in the proposed amendments.
Even if your company does not conduct business in New York, NYDFS cybersecurity regulations may be worth paying attention to because they have helped inform requirements on the federal and state level (including the FTC’s updated Safeguards Rule and the NAIC Insurance Data Security Model Law, as adopted in several states).
The information provided in this article does not, and is not intended to, constitute legal advice. All information is for general informational purposes only.
Seth A. Shapiro is Vice President and Privacy & Cybersecurity Counsel for Fidelity National Financial Inc. He can be reached at [email protected].
Contact ALTA at 202-296-3671 or [email protected].