NYDFS Cybersecurity Regulation Compliance Requirements for November 1, 2024

As we previously reported, in 2023 the New York State Department of Financial Services (NYDFS) amended its cybersecurity regulation, 23 NYCRR 500 (or Part 500). NYDFS has published guidance on the implementation timeline for key compliance dates for the various categories of entities impacted. These include Small Businesses, Class A Companies and Covered Entities.

As of November 1, 2024, the following requirements will be effective for Class A Companies and Covered Entities:  

Cybersecurity Governance (500.4)

Chief Information Security Officers (CISOs) must include plans for remediating material inadequacies in written reports to senior governing bodies. In addition, CISOs will be required to timely report to senior governing bodies or senior officers on material cybersecurity issues, such as significant cybersecurity events and changes to the cybersecurity program. Entities’ senior governing bodies will be required to exercise oversight of cybersecurity risk management. 

Encryption of Nonpublic Information (NPI) (500.15)

Entities will be required to implement a written policy requiring encryption that meets industry standards. Entities may no longer use effective alternative compensating controls for encryption of NPI in transit over external networks; however, entities may use effective compensating controls for encryption of NPI at rest provided that the compensating controls are reviewed and approved in writing by the CISO at least annually. 

Incident Response and Business Continuity Management (500.4)

Incident response plans continue to be required, but they must be updated as specified and tested at least annually. Business continuity and disaster response plans that are reasonably designed to address a cybersecurity-related disruption as specified must also be in place. Covered entities must also train all employees involved in the plans’ implementations, test plans with critical staff, and revise plans as necessary; test the ability to restore critical data and information systems from backups; and maintain and adequately protect backups necessary to restore material operations.

As of November 1, 2024, the following requirements  will be effective for Small Businesses:

Multi-Factor Authentication (500.12(a))

Small Businesses must implement multi-factor authentication (MFA) for any remote access to their information systems, remote access to third-party applications where NPI is accessible (including cloud applications), and to privileged accounts. 

Cybersecurity Training (500.14(a)(3))

At least once a year, Small Businesses must provide cybersecurity awareness training to all personnel that covers social engineering, such as phishing, business email compromises, and techniques enhanced by AI, like deepfakes.