• Mail
SUBMIT A CASEABOUT
Law and Forensics
  • Capabilities
    • eDiscovery
      • Document Review and Production
      • eDiscovery Consulting and Strategy
      • ESI Preservation and Collection
      • ESI Processing and Hosting
      • Expert Testimony and Reporting
    • Cybersecurity
      • Cybersecurity Assessments
      • Board-Level Cybersecurity Services
      • Cybersecurity Consulting
      • Industry-Specific Cybersecurity Solutions
      • Cybersecurity Expert Witness Services
      • Cybersecurity Incident Response Services 
    • Forensic
      • Forensic Consulting
      • Forensic Expert Witness
      • Forensic Investigations
      • Forensic Analysis
      • Computer Forensics Services
      • Cloud Computing Forensics
      • Internet of Things Forensics
      • Mobile Device Forensics
      • Server Forensics
      • Social Media Forensics
    • Digital Banking
      • Blockchain Services
      • CSO and CRO Advisory Service
      • Digital Banking Expert Witness Services
      • Digital Banking Regulatory Compliance Services
      • Digital Banking Strategy Consulting Services
      • Digital Banking Training Services
    • Privacy
      • Privacy Consulting
      • Privacy-Focused Regulatory Services
      • Privacy Incident Response Planning
      • Privacy Program Development
  • Products
  • Insights
  • Search
  • Menu Menu
  • New York Department of Financial Services Proposed Amendments to Cybersecurity Regulation: What it Means for Covered Entities

    INSIGHTS

New York Department of Financial Services Proposed Amendments to Cybersecurity Regulation: What it Means for Covered Entities

December 14, 2022

By Daniel B. Garrie

Proposed Amendments to Cybersecurity Regulation

On November 9, 2022, the New York Department of Financial Services (NYDFS) issued a proposed second amendment to its 2017 Cybersecurity Regulation 23 NYCRR 500 (“Proposed Amendments”). The publication of these Proposed Amendments comes in the wake of a buzz-worthy pre-proposal comment period, where the NYDFS considered the comments received in response to the pre-proposed amendments. The 60-day public comment period for the Proposed Amendments will end on January 9, 2023. These amendments create a new subset of covered entities subject to further requirements. Moreover, they set new cybersecurity obligations regarding incident reporting times, governance, and technical and organizational needs. This post discusses some of the more significant changes identified in the Proposed Amendments that will impose additional requirements on the new category of covered entities.

The Proposed Amendments would have a new category of “Class A companies,” described as covered entities with $20 million or more in gross annual revenue in the prior two (2) fiscal years from business operations (including the covered entity and its affiliates) in New York, and either:  (i) over 2,000 employees averaged over the past two (2) fiscal years (this includes those of both the covered entity and its affiliates despite the location); or (ii) more than $1 billion in gross annual revenue in each of the previous two (2) fiscal years from all business operations of the covered entity and its affiliates. This new category class will face cybersecurity requirements beyond those customarily imposed on covered entities.

Two critical new requirements include independent audits and risk assessments. Entities under “Class A” must undertake independent audits of their cybersecurity programs, conducted by external auditors “free to make decisions not influenced by” the covered entity. There is a distinct difference between this “independent audit” and the “independent audit” discussed in the pre-proposed amendments. An internal and external auditor would have been allowed to conduct an “independent audit” under the pre-proposed amendments.

In addition, covered entities must review and update their risk assessment annually. They must use external experts to conduct their risk assessment at least once every three (3) years. Currently, covered entities only need to conduct risk assessments “periodically” and “as reasonably necessary to address changes to the covered entity’s information systems, nonpublic information, or business operations.” Further, “whenever a change in the business or technology causes a material change to the covered entity’s cyber risk, Class A companies would be required to change to the covered entity’s cyber risk.”

The Proposed Amendments also have new incident reporting provisions. Each covered entity must provide NYDFS with the requested information about the investigation of a notified cybersecurity incident in a standard electronic form. This reporting has a 90-day response period for the investigative findings [500.17(a)(2)]. Covered entities must also report third-party cybersecurity incidents on a 72-hour notification deadline, beginning from the time the covered entity is aware of the event [500.17(a)(3)].

The Proposed Amendments introduce additional requirements for Chief Information Security Officers (“CISOs”) and board members. In this regard, New York continues demonstrating to companies that corporate governance is essential. The Proposed Amendments remove the CISO independence requirement covered in the pre-proposed amendment. However, the Proposed Amendments require the CISO to have the ability to direct sufficient resources to implement and maintain a cybersecurity program. In particular, a corporate board must incorporate the following factors: significant cyber risk expertise and knowledge for effective oversight, approval of a company’s security policies, procedures, and risk assessment, receiving briefings from the CISO at least annually, and review any material issues that arise from vulnerability assessments & pen tests. Despite the CISO and board members having individual requirements, a company’s senior management and leaders must also be proactive. The CEO and CISO must co-sign an annual attestation of security compliance. While the CEO and senior officers must participate in incident response plan testing, the latter must be present during business continuity plan testing.

In light of the new Proposed Amendments, there are a few points covered entities may want to note regarding the impact on their business. If they are adopted, covered entities and NYDFS-regulated entities should consider taking the following steps in preparation for compliance:

  1. Conducting tabletop exercises. These tabletops will ensure that the employees under a covered entity are well-trained in their roles and responsibilities in mitigating harm in the event of an incident.
  2. Establish whether your entity is a Class A company, and covered entities should assess whether they may be further subject to the additional compliance obligations imposed on Class A companies.
  3. Revise current incident response plans to reflect the Proposed Amendments and new notification obligations for ransomware, unauthorized access to privileged accounts, and third-party security events, including the reporting requirements. The revision should also include a justification for what could be labeled as extortion payments.

NYDFS’ Proposed Amendments further evidence that cyber risk is not simply a technical issue. Thus, a company’s entire security team, the board, and the management team must ensure that it remains their mandatory core responsibility. Covered entities must also assess their cybersecurity practices and procedures to ensure they have sufficient controls to comply with these anticipated New York regulatory changes.

Newsletter

Sign Up for Updates!

Jobs

Apply for a Job

Products

Assessments
Playbooks
Tabletop.ai
Legal Cyber Academy
ForensicTools.dev



Contact Us

Sales Inquiry
​Press Inquiry
​Speaking Inquiry

Capabilities

Digital Banking Services
Forensic Services
Cybersecurity Services
eDiscovery Services
Privacy Services

RESOURCES

About Us
Events
Search

Law & Forensics © 2023. All Rights Reserved
  • Privacy Policy
  • Legal Notices
Scroll to top

This site uses cookies. By continuing to browse the site, you are agreeing to our use of cookies.

OKLearn more×

Cookie and Privacy Settings



How we use cookies

We may request cookies to be set on your device. We use cookies to let us know when you visit our websites, how you interact with us, to enrich your user experience, and to customize your relationship with our website.

Click on the different category headings to find out more. You can also change some of your preferences. Note that blocking some types of cookies may impact your experience on our websites and the services we are able to offer.

Essential Website Cookies

These cookies are strictly necessary to provide you with services available through our website and to use some of its features.

Because these cookies are strictly necessary to deliver the website, refusing them will have impact how our site functions. You always can block or delete cookies by changing your browser settings and force blocking all cookies on this website. But this will always prompt you to accept/refuse cookies when revisiting our site.

We fully respect if you want to refuse cookies but to avoid asking you again and again kindly allow us to store a cookie for that. You are free to opt out any time or opt in for other cookies to get a better experience. If you refuse cookies we will remove all set cookies in our domain.

We provide you with a list of stored cookies on your computer in our domain so you can check what we stored. Due to security reasons we are not able to show or modify cookies from other domains. You can check these in your browser security settings.

Google Analytics Cookies

These cookies collect information that is used either in aggregate form to help us understand how our website is being used or how effective our marketing campaigns are, or to help us customize our website and application for you in order to enhance your experience.

If you do not want that we track your visit to our site you can disable tracking in your browser here:

Other external services

We also use different external services like Google Webfonts, Google Maps, and external Video providers. Since these providers may collect personal data like your IP address we allow you to block them here. Please be aware that this might heavily reduce the functionality and appearance of our site. Changes will take effect once you reload the page.

Google Webfont Settings:

Google Map Settings:

Google reCaptcha Settings:

Vimeo and Youtube video embeds:

Other cookies

The following cookies are also needed - You can choose if you want to allow them:

Privacy Policy

You can read about our cookies and privacy settings in detail on our Privacy Policy Page.

Privacy Policy
Accept settingsHide notification only

Subscribe to Our Newsletter!

* indicates required

 





Please select all the ways you would like to hear from Law and Forensics:

You can unsubscribe at any time by clicking the link in the footer of our emails. For information about our privacy practices, please visit our website.

We use Mailchimp as our marketing platform. By clicking below to subscribe, you acknowledge that your information will be transferred to Mailchimp for processing. Learn more about Mailchimp’s privacy practices here.