On November 1, 2023, the New York Department of Financial Services promulgated the 2nd Amendment to the New York State Cybersecurity Regulation, 23 NYCRR Part 500 (the “Amendment”). This post provides an overview of the new requirements introduced in the Amendment which will impact the operations and governance of all those subject to its provisions.
Who is Impacted by the New Cybersecurity Regulations?
The Cybersecurity Regulation applies to all entities and individuals chartered, licensed, or approved to operate in New York by the state’s Department of Financial Services (each, a “Covered Entity”). The Regulation requires each Covered Entity to maintain a cybersecurity program, which extends to third party service providers of the Covered Entity and sets minimum standards to which the Covered Entity must comply.
The Amendment, which is effective November 1, 2023, rolls out changes outlined therein from November 1 transitionally though November 1, 2025. Of significant note, it bifurcates further the Covered Entity class by creating a “Class A” company category within the Covered Entity classification. In addition, it increases the acceptable employee count and revenue and asset criteria that Covered Entities need to have to avail themselves of the limited exemption compliance requirement. It also expands the annual compliance certification procedure to require 2 corporate officer signatories and adds a filing exemption application provision based upon hardship, impracticality, or good cause.
Class A Covered Entity
In addition to standard companies, and small companies (which includes individuals), the Amendment creates a new category of Class A companies. Class A companies are defined, amongst other things, as companies with at least $20,000,000 in gross annual revenue, and more than 2,000 employees or more than $1,000,000,000 in gross annual revenue. These entities are subject to every requirement in the Cybersecurity Regulation that standard and small companies are, as well as other new obligations, which take effect April 29, 2024, and May 1, 2025, including:
- Designing and conducting independent audits of their own cybersecurity program based on its risk assessment.
- Monitoring privileged access activity and implementing a privileged access management solution, and an automated method of blocking commonly used passwords for all accounts on information systems owned or controlled and whenever feasible for all other accounts.
- Implementing, at a minimum, an endpoint detection and response solution to monitor anomalous activity, and a solution that centralizes logging and security event alerting.
While annual reporting by a Covered Entity is still required by April 15 of each year, certifying compliance with the immediately preceding year’s regulations, there have been adjustments to the reporting requirements now in effect. Most notably, these include:
- The ability of a Covered Entity to now file an Acknowledgment of Noncompliance as distinguished from a Certificate of Compliance.
- Certifications must now be signed by the Covered Entities highest-ranking executive and its Chief Information Security Officer (CISO), or, in the absence of a CISO, by the Covered Entity’s senior officer responsible for the Covered Entity’s cybersecurity program.
- Cybersecurity events must now be reported electronically via the New York Department of Financial Services website. This reporting requirement extends to events experienced by a Covered Entity’s affiliate and/or third-party service provider.
- Cybersecurity event reporting has now been expanded to include ransomware deployment and the payment of a ransom, the latter of which must be reported within 24 hours of the payment followed up by a comprehensive written report within 30 days of the payment.
Exemptions available to Covered Entity’s range from limited to full in nature. Covered Entity’s which qualify for a limited exemption are not required to comply with certain sections of the Cybersecurity Regulation. Similarly, Covered Entity’s which qualify as fully exempt are not required to comply with any of the Cybersecurity Regulation (notwithstanding the initial filing of a Notice of Exemption) for as long as the Covered Entity remains qualified for a full exemption.
The Amendment changes the criteria for Covered Entities able to avail themselves of the limited exemption to include, amongst other things, those that have fewer than 20 employees and independent contractors and less than $7,500,000 in gross annual revenue or less than $15,000,000 in year end total assets. Each Covered Entity meeting this criteria is exempt from the cybersecurity obligations in 500.4 through 500.6, 500.8, 500.10, 500.14(a)1, a(2) and (b) in addition to 500.15 and 500.16 of the Cybersecurity Regulation.
Section 500.24 of the amended Regulation, which became effective November 1, 2023 provides for an exemption from the electronic filing and submission requirements upon approval, which request must be submitted for approval 30 days prior to the due date. Amongst other things, the request must state the grounds and rationale upon which it is being made. These include: undue hardship, impracticability or good cause, and whether the request for an exemption extends to future filings.
How to Comply
In a nutshell, one must:
- Determine the category in which the subject Covered Entity is classified,
- Determine if the Covered Entity qualifies for a full or limited exemption,
- Determine if the Covered Entity’s cybersecurity program is in compliance with applicable requirements,
- Submit a request for exemption from the electronic filing and/or submission requirements, if applicable and,
- Submit an annual Certification of Material Compliance or Acknowledgment of Noncompliance, to the extent applicable.
Outlined herein is a high-level overview of some of the salient changes of the recent New York Cybersecurity Regulation 2nd Amendment. It is our intention that this overview serves to provide you with some generalized guidance and is therefore limited and not specific in nature. Should you have any questions please don’t hesitate to reach out to the 3H Corporate Services team for assistance. Kindly note that 3H Corporate Services and Creative Compliance Software Solutions are compliant with all third-party obligations required of a Covered Entity pursuant to New York State Cybersecurity Regulation, 23 NYCRR Part 500.