Sweeping Amendments to NYDFS Cybersecurity Regulation

On November 1, 2023, the New York Department of Financial Services (NYDFS) announced extensive amendments to its cybersecurity requirements for financial institutions issued under 23 NYCRR Part 500.  The amendments are intended to address the evolution in the cybersecurity landscape since the regulation was first enacted in 2017, including the increasing sophistication of threat actors and improvements in the tools available for organizations to protect themselves. Covered entities continue to include entities operating under, or required to operate under, a license, registration, charter, certificate, permit, accreditation or similar authorization under NY Banking Law, Insurance Law or Financial Services Law.

Key changes in the amended regulation include:   

  • Creating a new class of covered entities (based on revenue and/or employee thresholds) that are subject to heightened requirements;
  • Enhancing requirements related to vulnerability management, access controls, and the use of encryption;
  • Providing prescriptive requirements related to the use of multi-factor authentication;
  • Requiring the implementation of policies and procedures related to business continuity and disaster recovery;
  • Requiring additional controls to prevent unauthorized access to information systems;     
  • Updating cybersecurity incident notification requirements, including a new requirement to report ransomware payments; and
  • Amending the scope of the exemptions and enforcement provisions under the regulation.

The amended requirements will take effect in phases, with some having already come into force on November 1, 2023.

FTC Implements Security Incident Notification Requirement under Safeguards Rule

In other financial services information security developments, the Federal Trade Commission (FTC) issued a final rule creating a security incident notification requirement under its Gramm Leach Bliley Act (GLBA) Safeguards Rule. The FTC’s Safeguards Rule implements GLBA’s security requirements, with the FTC having Safeguards Rule jurisdiction over mortgage lenders, certain non-bank lenders, finance companies, mortgage brokers, account services, check cashers, wire transferors, collection agencies, credit and financial advisors, tax preparation firms, and investment advisors that are not required to register with the Securities and Exchange Commission.

Under the final rule, covered financial institutions must electronically notify the FTC within 30 days of discovering a “notification event” that involves the information of at least 500 consumers. The scope of data and incidents that could be subject to the rule is very broad. A notification event is defined as the “acquisition of unencrypted customer information without the authorization of the individual to which the information pertains.” The Safeguards Rule broadly defines “customer information” as any record containing nonpublic personal information about a [consumer] customer of a financial institution, whether in paper, electronic, or other form.” For example, the fact that a consumer is a financial institution’s customer would itself be customer information subject to the rule. The definition of “notification event” also presumes that customer information was “acquired” if there was unauthorized access to such information; to rebut this presumption, a financial institution must have reliable evidence showing that there has not been or could not reasonably have been unauthorized acquisition. The rule does not include a good faith exception like the U.S. state security breach notification laws for situations where an employee or contractor mistakenly accesses or acquires personal information.

The rule will take effect 180 days after its publication in the Federal Register. The FTC will post the notifications it receives publicly on its website.

For more information, please contact your DLA relationship Partner, the authors of this blog post, or any member of our Data Protection team.