Insights

  • Home
  • Insights
  • NYDFS Expands Cybersecurity Regulations: Extortion Payment Reporting, Corporate Governance, and Technical Requirements

Share

2301403 Social

NYDFS Expands Cybersecurity Regulations: Extortion Payment Reporting, Corporate Governance, and Technical Requirements

A major amendment to the New York State Department of Financial Services' cybersecurity regulations establishes affirmative cybersecurity oversight duties and requires companies to report extortion payments to the agency.

NOVEMBER 2023 Alert

On November 1, the NYDFS adopted the first substantial amendment to its cybersecurity regulations, 23 NYCRR 500, since their issuance in 2017. These regulations apply, with limited exemptions, to businesses authorized to operate under New York's Banking Law, Insurance Law, or Financial Services Law. 

Key changes include: 

  • Extortion Payment Reporting. Covered entities must notify NYDFS within 24 hours of making an extortion payment and then provide a written description within 30 days detailing the payment's necessity, alternatives considered, and all relevant diligence performed. 
  • Corporate Governance Obligations. A covered entity's senior governing body must oversee cybersecurity risk management by having sufficient understanding of cybersecurity-related matters; regularly reviewing management reports about cybersecurity matters; and confirming that management has established a cybersecurity program and allocated sufficient resources to make it effective.
  • CISO's Duties. The Chief Information Security Officer ("CISO") must "timely" report "material" cybersecurity issues, including "significant cybersecurity events and significant changes to the covered entity's cybersecurity program," to the covered entity's senior governing body.
  • Notification ResponsibilitiesReportable cybersecurity incidents now include those occurring at a covered entity's third-party service providers.
  • Technical Safeguards. Covered entities must implement access and risk-based controls.
  • Written Policies and Procedures. Covered entities must implement written incident response and disaster recovery plans. Importantly, covered entities must also adopt IT asset management policies and procedures that include asset risk classification, risk oversight, and reporting across all IT capabilities and services.
  • Compliance Requirements. Covered entities must submit annual certifications to NYDFS attesting to "material" compliance with the regulations. If an entity is noncompliant, then it must identify the noncompliance and provide a remediation timeline.

Covered entities that generated at least $20,000,000 in gross annual revenue from New York over the past two years and had either (1) over 2,000 employees, or (2) over $1,000,000,000 in gross annual revenue during that period, must implement additional technical safeguards and conduct annual independent audits of their cybersecurity programs. 

With some exceptions, covered entities have until April 29, 2024, to comply with the new requirements. Covered entities must comply with the amendment's cybersecurity incident and extortion payment notification requirements by December 1, 2023.

Insights by Jones Day should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request permission to reprint or reuse any of our Insights, please use our “Contact Us” form, which can be found on our website at www.jonesday.com. This Insight is not intended to create, and neither publication nor receipt of it constitutes, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.
Contributors
You May Also Be Interested In

April 2024 Alert

EPA Designates PFOA and PFOS as CERCLA Hazardous Substances

APRIL 2024 Commentary

New York's LLC Transparency Act: What You Need to Know

April 2024 Alert

EPA Issues the First-Ever National Drinking Water Standard for PFAS

APRIL 2024 Alert

U.S. Department of Energy Conditionally Commits Up to $1.5 Billion to Finance Nuclear Plant in Michigan

Before sending, please note:

Information on www.jonesday.com is for general use and is not legal advice. The mailing of this email is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Anything that you send to anyone at our Firm will not be confidential or privileged unless we have agreed to represent you. If you send this email, you confirm that you have read and understand this notice.