NY Revised Cybersecurity Regulation Goes Into Effect: What You Need to Know

On November 1, significant revisions to the regulations enforced by the New York Department of Financial Services (DFS) — the state’s financial services regulator — went into effect. The DFS revisions create a long-arm provision in that the changes affect not only New York State companies, but also their affiliates, and therefore the revisions could have an impact far beyond New York State borders.
DFS amended its cybersecurity regulations in November 2023, directly affecting New York State-regulated financial services companies, including insurers, crypto exchanges, mortgage servicers, foreign bank branches, money transmitters, student lenders, and fintech companies. The amended regulation, 23 NYCRR 500, often referred to as “Part 500,” has been touted by DFS as a first-of-its-kind regulation that aimed at improving institutional cybersecurity preparedness, response, and governance in New York’s financial services sector. Part 500 established various cybersecurity requirements for the so-defined “Covered Entity,” including maintenance of a cybersecurity program and designation of a qualified Chief Information Security Officer (CISO) overseeing the program; implementation of a written cybersecurity policy; regularly conducted vulnerability assessments; multi-factor authentication for external access to the company’s server; mandatory reporting of serious data breaches; and employee training.
Highlights of the changes to the DFS cybersecurity regulations include:

• Stepped-up requirements for larger companies. Companies with at least $20 million in gross annual revenue and more than 2,000 employees will face additional regulatory burdens. These enhanced requirements include automated blocking of low-security passwords, independent audits, and monitoring of anomalous activity.
• Expanded breach notification requirements. In the past, DFS required financial institutions to report cybersecurity incidents, such as security breaches, within 72 hours of occurrence. The revised regs now require such notifications not only for New York-regulated financial institutions but also for those institutions’ affiliates and third-party service providers.
• Ransomware payments. Random payments paid in connection with cybersecurity breaches must be reported to DFS with a notice of the payment within 24 hours. Companies must also explain to DFS why the payment was necessary, and describe pre-payment diligence performed in search of alternative solutions to ransom payments.
• Narrowing of small business exceptions. Historically DFS has exempted small businesses from some of the cybersecurity requirements, such as the definition of companies that qualify for small business exemptions has tightened. While the number of employees for qualified small businesses doubled from 10 to 20, the definition of “employees” now includes independent contractors and non-New York corporate affiliates. Similarly, while the amount of revenue allowable for the small business exception has grown from $5 million to $7.5 million in gross annual revenue in each of the last three years, “revenue” now includes revenue from all corporate affiliates, not just those located in New York. In addition to shrinking the pool of qualified small businesses, DFS has shortened the list of exceptions for those small businesses. For example, they are no longer exempt from multi-factor authentication requirements. In addition, companies are required to train all employees in cybersecurity awareness including social engineering, a method of cyber attack that seeks to coerce victims into divulging sensitive information by pretending to be a legitimate person or entity. In imposing these requirements on small businesses, DFS has put into practice a recognition that the vast majority of cyber attacks originate from social engineering, and that multi-factor authentication stands as one of the most cost-effective and dependable bulwarks against cyber criminals.
• Expanded enforcement powers. The changes carry the potential to significantly expand DFS enforcement powers. The revisions make clear that a single act prohibited by the regulations amounts to a violation of Part 500. In other words, a single cyber breach exposing millions of consumers’ private data, such as dates of birth and Social Security numbers, technically could result in penalties of nine or ten figures (yes, billions, or tens of billions of dollars). To temper objections to such massive penalty exposure, the revised regulations require DFS to take into account factors that could serve to cap an otherwise exorbitant fine, including cooperation in the investigation, lack of intentional conduct leading to the breach, history of prior violations, and potential for consumer harm.

DFS cybersecurity regulations cover a broad array of industries, including insurance, banking, crypto, and more. To date, enforcement actions that have been brought against crypto exchanges, property insurers, and mortgage services, were among the first enforced by a U.S. regulator. Since their launch in 2017, federal and state regulators have followed the DFS model in drafting their own regulations. Businesses would be wise to review these DFS amendments as other regulators follow suit in the coming months and years.