Tech & Sourcing @ Morgan Lewis


The New York Department of Financial Services (NYDFS) published its proposed amendment to its 23 NYCRR Part 500 (Cybersecurity Rules) on November 9, 2022, following the release of the draft version on July 29, 2022.

The proposed amendments complement the efforts of the US government to further regulate cybersecurity practices pursuant to the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). If adopted, the proposed amendment, among other things, establishes “Class A” companies, and requires covered entities (i.e., insurance companies, banks and other financial institutions regulated by the NYDFS) to, within 180 days, review their existing policies and procedures and ensure compliance with all applicable requirements of the Cybersecurity Rules.

Some of the key changes proposed by the amendment are highlighted below.

Requirements for Class A Companies

The proposed amendment describes “Class A” companies as covered entities with at least $20,000,000 in gross annual revenue from the entity’s (and its affiliates) business operations in New York and, either (1) over 2,000 employees; or (2) over $1,000,000,000 in gross annual revenue, in each of the last two fiscal years from all its (and its affiliates) business operations regardless of location. Class A companies are subject to heightened compliance requirements and must, in addition to complying with general requirements for covered entities:

  • Annual audit: Conduct an independent audit annually (i.e., by external auditors free of influence of covert entities).
  • Risk assessment: Use external experts to conduct a risk assessment at least once every three years.
  • Monitoring activity: Implement an endpoint detection and response solution to monitor anomalous activity (including lateral movement) and centralize logging and security event alerting, unless the chief information security officer (CISO) approves a reasonably equivalent or more secure tools.
  • Privileged access control: Implement privileged access controls and automated blocking of commonly used passwords, unless the CISO approves a reasonably equivalent or more secure tools.

Requirements for All Covered Entities

The proposed amendment introduces increased compliance requirements for all covered entities. Some of the amendments introduced include:

  • Risk assessment and vulnerabilities management: Covered entities are to (1) conduct penetration testing annually; (2) conduct vulnerabilities monitoring, remediate, on a triage basis, and report to senior governing bodies where necessary; (3) conduct risk assessments annually; and (4) conduct automated and/or manual scans of its information systems, including promptly after any major system changes.
  • Notification: Covered entities are to notify the NYDFS (1) within 72 hours of unauthorized access to a privileged account or ransomware attack on material parts of its system and (2) within 24 hours of extortion payments, while also providing reasons for such payments (or alternatives considered) within 30 days of such payments.
  • Access control: Covered entities are required to (1) limit the number of, and access to, privileged accounts; (2) at least annually, review access privileges and consequently remove disabled or unnecessary accounts; (3) implement multifactor authentication for remote accesses and privileged accounts; and (4) disable or securely configure remote access protocols.
  • Incident Response Plan (IRP) and Business Continuity and Disaster Recovery (BCDR) Plans: Covered entities are required to maintain an IRP and implement a BCDR plan and to test these annually. The IRP and BCDR plan should include maintenance of offsite data back-ups and annual training to staff on cybersecurity awareness.
  • Governance: The CISO should have authority over the cybersecurity programs and must report cybersecurity issues and risk assessments to the senior governing body. The covered entity’s board or committee should also have oversight over its cybersecurity risk management and must ensure that a cybersecurity program is developed by the executive management.
  • Notice of compliance: The CISO and the highest-ranking officer of the covered entities are both required to sign a certificate of compliance, and notice of compliance must be delivered annually to the NYDFS.
  • Penalty: Penalties could result from a single violation or act, such as failure to notify the NYDFS of a ransomware attack within 24 hours. Factors such as degree of harm to consumers, good faith, and history of violations will be considered by the NYDFS when assessing the extent of the penalty.

Next Steps

The NYDFS has requested for comments on the proposed amendments to be submitted in writing to it by 5:00 pm EST on Monday, January 9, 2023. Details on how to respond can be accessed on the NYDFS website.

Trainee solicitor Samuel Omotayo contributed to this blog post.