Technology

Understanding the Second Amendment to 23 NYCRR 500

The New York State Department of Financial Services (NYDFS) has recently implemented the Second Amendment to 23 NYCRR 500, a regulation that lays down cybersecurity requirements for financial services companies. This amendment reflects the ever-evolving cybersecurity landscape and the increasing need for a robust cybersecurity program in the financial sector.

Key Changes in the Amendment include:

Revised Definitions and Classifications: The amendment introduces new definitions and modifies existing ones to provide greater clarity. The new regulations add three key definitions, among other additions and modifications.

• A new type of covered entity called a ‘Class A company’ includes entities with $20 million in gross annual revenue from New York operations and either over 2000 employees or $1 billion in yearly gross revenue. Class A companies will have to adhere to more robust guidelines that NYDFS expects out of organizations of their size.
• NYDFS fully defines what a CISO (Chief Information Security Officer) needs to be regarding adhering to the new regulations as well as leveraging a third party to provide CISO leadership to covered entities.
• The definition of a Cybersecurity Incident has been added to provide clarity on what NYDFS considers a reportable event.

3 Types of Entities: As stated above, NYDFS has added a new organization classification; this must adhere to all the regulation requirements. The other two types of organizations are Standard Covered Entities and Exempt organizations. Standard Covered Entities are required to adhere to every regulation, barring certain additions for just Class A organizations.

• NYDFS has added and modified the previous exemptions. The new exemptions allow for more organizations to claim limited or full exemptions. Key considerations for limited exemptions are Covered Entities with:
  – 20 Employees or less; OR
  – Less than $7.5 million Gross Annual Revenue from the Covered Entity and its NY Affiliates
  – Less than $15 million in year-end total assets, including Affiliates.
• Other full exemptions are provided for specific types of organizations and can be found in 23 NYCRR 500.19.

Enhanced Cybersecurity Program Requirements: Covered entities are now mandated to have a more comprehensive cybersecurity program. This includes a detailed risk assessment and implementing core cybersecurity functions like identifying and assessing cybersecurity risks, defending against unauthorized access, detecting cybersecurity events, and responding to and recovering from these events.

Vulnerability Management: The amendment requires covered entities to develop and implement written policies and procedures for vulnerability management, aiming to assess and maintain the effectiveness of the cybersecurity program. NYDFS more clearly defines that a Vulnerability Management program must include:

• An annual penetration test of internal and external systems, adding the specification that the testing should occur from inside and outside of the network.
• Automated vulnerability scanning of all systems and manual review of systems that cannot be automatically scanned. They are nebulous on the frequency of the scanning and manual review but state that the risk assessment must determine it and must be performed immediately after a material system change, which could be a major infrastructure update or the addition of a new major system within a company’s network, i.e., Financial Management system.

Access Privileges and Management: There are stricter controls on user access privileges, with an emphasis on limiting these privileges to what is necessary for job performance and regularly reviewing and updating these privileges.

Multi-factor Authentication and Encryption: The amendment specifies more rigorous multi-factor authentication and encryption requirements, ensuring better protection of nonpublic information.

Incident Response and Business Continuity Management: Covered entities must establish written plans containing proactive measures for managing cybersecurity events and ensuring operational resilience, including incident response, business continuity, and disaster recovery plans.

Notices and Compliance Certifications: The amendment outlines the requirements for how to notify the superintendent of cybersecurity incidents and the annual submission of compliance certifications.

The changes went into effect on November 1, 2023, with a progressive implementation timeline that starts on April 29, 2024 and requires full compliance with all newly amended regulations by November 1, 2025.

What Do These Changes Mean for Financial Services Companies?

The changes brought by this amendment emphasize a more proactive and structured approach to managing cybersecurity risks. Financial services companies must:

• Understand what regulations apply to their organization.
• Revise their cybersecurity policies and programs to comply with the new definitions and requirements and specifically document and review/approve their procedures for the implementation of their policies.
• Ensure proactive and robust vulnerability management and access control systems are in place.
• Enhance their incident response and business continuity plans to respond quickly and effectively during an incident.
• Prepare for more stringent reporting and compliance requirements.

The Second Amendment to 23 NYCRR 500 marks a significant step forward in strengthening cybersecurity standards in the New York financial sector. It will surely have ripple effects on compliance and regulations across other industries as well. It underscores the importance of having strong cybersecurity measures in an increasingly risky world. Financial institutions need to plan for compliance with the new regulations in the phased implementation program delivered by NYDFS based on their covered entity type (Class A, Standard, Limited Exemption). By focusing on compliance, covered entities will align their cybersecurity strategies with these new requirements to ensure compliance and protect their information systems and client information.

For organizations looking for assistance in complying with these newly amended regulations, Richey May Cyber offers a range of services, including vulnerability management and penetration testing, Cybersecurity program buildout, managed security services, and virtual CISO services. Our expertise can guide your organization through the complexities of adhering to these newly enhanced cybersecurity standards, ensuring that your cybersecurity measures are not only compliant but also effective and resilient in this ever-evolving cyber landscape. Contact info@richeymay.com to learn more.