Cybersecurity Regulation Changes In New York

Comprehensive amendments have been added to the New York State Department of Financial Services cybersecurity regulations, effective Dec. 1, 2023. The Kramer Levin site goes into detail about the requirements. In summary:

A new class of covered entity, “Class A Companies,” has been created. They are entities including affiliates that have over $20 million in gross annual revenue from business operations in New York in each of the past two years, and either have over 2,000 employees worldwide or over $1 billion in gross annual revenue worldwide.

Under the heightened requirements, Class A Companies must conduct annual independent audits of cybersecurity programs, monitor privileged access activity, and implement endpoint detection and response solutions to monitor and log potentially anomalous activity and security events.

Starting Dec 1, all covered entities must notify the NYDFS within 72 hours of any “cybersecurity event” that might materially harm normal operations or involve ransomware. A “cybersecurity event” is defined as any act or attempt to gain unauthorized access to, disrupt, or misuse an information system or the information stored there.

Covered entities must notify the NYDFS within 24 hours of paying a ransom or making any other payment in connection with a cybersecurity event. A written explanation of why payment was necessary is required within 30 days.

Updates of internal risk assessments are due April 29, 2024. From then on they are due annually, or whenever a change in operations or technology causes a material change to the business’s cyber risk.

The amendments make significant additions to the list of policies that updated cybersecurity policies must address. They include data retention, end-of-life management, remote access controls, systems and network monitoring, and several others.