insight-ingle-left-2
insight-ingle-left-3

September 4, 2024

NYDFS’s Second Amendment to 23 NYCRR Part 500 is Reshaping Cybersecurity Standards

On November 1, 2023, the New York Department of Financial Services (NYDFS) finalized the second amendment to its cybersecurity regulation, 23 NYCRR Part 500 (the Second Amendment), marking a significant shift in the regulatory landscape. As we approach the one-year mark, the additional requirements introduced by this amendment are set to take effect through November 2025. In this article, we’ll delve into the key changes between the first and second amendments and examine their broader impact on the cybersecurity regulatory environment.

The Cybersecurity Regulatory Landscape

The NYDFS Part 500 Cybersecurity Regulation is a yardstick for cyber regulation across the country. This is evidenced by the NAIC Data Security Model Law (Model Law). The Model Law seeks to establish data security standards for regulators and insurers to mitigate the potential damage of a data breach. The Model Law is a proposed set of guidelines that states can adopt and was created based in part on Part 500. 
As of August 2024, the Model Law has been adopted by 25 states and is pending in four additional states. Since its creation in 2018, adoption has steadily progressed throughout the US and is expected to continue to grow. Updates to Part 500 will likely ripple through other states’ cyber legislation.

Second Amendment Requirements

Part 500 was amended for the first time in April 2020. In the last four years, the cybersecurity threat landscape has changed dramatically, and regulation is catching up to ensure the integrity and security of financial systems and consumer data. 

Below is a high level summary of the requirements from the Second Amendment, click to see detailed explanation:

The qualifications for Class A companies depend on gross revenue and employees (over 2,000 employees averaged over the last two fiscal years, including employees of both the covered entity and all of its affiliates regardless of location, or over $1,000,000,000 in gross annual revenue in each of the last two fiscal years from all business operations of the covered entity and all of its affiliates). See Class A Determination Tool to help determine if your company is subject to this categorization (calculations only work when a document is downloaded, the web version cannot).

Class A companies are required to design and conduct independent audits of its cybersecurity program based on their risk assessment.

The original Part 500 includes a comprehensive list of policies that are required. The additional policies in the second amendment require formal documentation of an end of life management, remote access, and vulnerability and patch management policies and procedures. The second amendment also specifies that the policies must be approved annually by the senior governing body. This annual review requirement is restated in 500.08 to include all “procedures, guidelines and standards.”

Additional policies:
(h) Security awareness and training
(o) Vulnerability management

Updated policies (updated portion bolded):
(b) data governance, classification and retention
(c) asset inventory, device management and end of life management
(d) access controls, including remote access and identity management
(g) systems and network security and monitoring;
(i) systems and application security and development and quality assurance
(n) incident response and notification

In addition to the policies listed in 500.3, policy requirements are highlighted later in the regulation that can be assumed to be covered in the categories listed in 500.3. An example is Encryption (500.15).

The expansion of governance continues with additional requirements for the CISO and board of directors or senior governing body. Currently, the CISO is required to report to the Board of Directors annually on the company’s cybersecurity program and material cybersecurity risks. The Second Amendment requires additional annual reporting to the board of directors on plans for remediating inadequacies, as well as timely reporting on material cybersecurity issues or significant cybersecurity events.

Given enhanced reporting to the board of directors, the Second Amendment specifies that the Board of Directors is required to have sufficient knowledge and expertise of cybersecurity related matters or be advised by such persons, to exercise effective oversight of cybersecurity risk management.

The scope of penetration testing expands to include both internal and external scans and must be conducted by a qualified internal or external party. Vulnerability scans must be automated with a manual review of systems not covered by such scans in addition to a process to monitor and remediate vulnerabilities. Vulnerabilities and issues found in these scans must be remediated timely based on their risk.

Privileged accounts, as defined, must be limited to only those necessary to perform the user’s job function and require access to be removed as soon as it is no longer needed. A periodic review of all user access privileges supports this limitation.

The guidance takes security a step further by requiring additional access controls:
Disable or securely configure the ability to remotely access devices,
Promptly terminate access following departures,
If passwords are used as an authentication method, they have to comply with the company’s password policy.

Class A companies must have a privileged access management solution and an automated method of blocking commonly used passwords

The risk assessment requirement is strengthened to require that the risk assessment must be reviewed “at a minimum annually, and whenever a change in the business or technology causes a material change to the covered entity’s cyber risk.”

MFA is required for remote access to the company’s information systems, third party applications that access the National Provider Identifier (NPI), and all privileged accounts other than service accounts that prohibit interactive login. However, there is an exception for instances where reasonably equivalent or more secure compensating controls are documented and are approved by the CISO in writing. Compensating controls must be periodically reviewed based on the company’s risk assessment but at a minimum annually.

Both assets and access issues revolve around lack of controls over sensitive data. The asset inventory is one of the more significant updates in the Second Amendment. Previously, this section only had a requirement for disposal of NPI that is no longer needed for business operations. The amendment requires an asset inventory for all information systems and their supporting components. This includes a variety of items such as hardware, operating systems, applications, infrastructure devices, APIs, and cloud services. Key information must be tracked including the information owner, location, classification, support expiration date, and recovery time objectives.

The Second Amendment requires that emails are monitored and filtered to block malicious content. It also expands annual cybersecurity awareness training to include training on phishing emails and other social engineering methods. Remember, employees represent the greatest security risk to an organization and training represents a simple, yet effective, defense.

Endpoint detection must be implemented to monitor the network and include centralized logging and security event alerting. If this is not in place, the CISO must have, in writing, the use of reasonably equivalent or more secure compensating controls.

Encryption requirements are updated to include an encryption policy. The allowance that if encryption is infeasible for nonpublic information at rest has been updated to require the compensating controls be reviewed by the CISO at least annually.

In one of the largest section updates to the Second Amendment, the updated requirements for the business continuity and disaster recovery (BCDR) and incident response plans (IRP) help clarify the identification, response, and remediation of events. 

IRPs must be updated to include goals, internal processes for responding to the cyber events. If a cybersecurity event occurs, the Company is required to prepare a root cause analysis including what will be done to prevent reoccurrence.

BCDR plans are required to designate essential data and personnel, communication plans, back-up facilities, and identifying necessary third parties. Companies are required to document procedures for the maintenance of back-up facilities, systems, and infrastructure as well as alternative staffing.

Companies must maintain backups necessary to restore material operations that are adequately protected from unauthorized alterations or destruction.

The IR and BCDR plans require testing at least annually with all staff who are critical to the response. These plans must be available to all applicable employees and a copy must be available at an offsite location.

The company is required to provide training to all employees responsible for implementing the plans. The plans also need to be reviewed and updated by all participants.

Section 500.17 retains the 72-hour notification rule for a cybersecurity event and also applies to cybersecurity events at affiliates and third party service providers that affect a covered entity. After notice of the cybersecurity event, covered entities are required to promptly provide any information requested by the superintendent regarding the event. And, covered entities have a continuing obligation to update and supplement the information provided.

Two additional notification requirements apply to extortion payments related to a cybersecurity event: 

  • Notice of the extortion payment within 24 hours, and
  • A written description for why the payment was necessary, alternatives that were considered, and sanction diligence conducted within 30 days of the extortion payment.

The annual submission deadline to the superintendent is changed from February 15 to April 15. Submissions that identify areas of improvement must include remediation plans in the submissions. The certification allows for an acknowledgement of less-than-full compliance, with identification of specific deficiencies. However, companies must be prepared to provide the NYDFS with documentation of a remediation timeline or confirmation that remediation has been completed. The certification must be signed by the entity’s highest ranking executive and its CISO, and based on documentation to demonstrate compliance. 

Curious if you qualify for an exemption? See Exemption Flowchart or Exemption Determination Tool to help you make this determination.

Second Amendment Deadlines

The Second Amendment to Part 500 requirements will take effect in phases. These phases will depend on a handful of classifications companies fall into (small businesses, class A companies, covered entities). See the following timeline for key compliance dates for the various categories: small businesses, Class A businesses, and covered entities. These deadlines for the Second Amendment started December 1, 2023 and will continue through November 1, 2025.

To prepare for the extensive list of enhanced cybersecurity requirements, begin by reviewing your cybersecurity program,identifying areas for improvement, and assessing whether your organization has the internal resources needed to address these. NYDFS has a handy template that can help you start this process. Johnson Lambert’s advisory and consulting practice can support your team in developing a comprehensive plan. We can assist with:

  • Conducting a gap analysis to evaluate your current cybersecurity program by engaging key personnel, reviewing policies, and performing walkthroughs to identify potential vulnerabilities. We’ll collaborate with management to provide risk assessments and recommendations for improvement.
  • Creating a compliance roadmap by helping you outline the necessary steps to enhance your cybersecurity processes and effectively communicate these strategies with your team.
  • Testing the effectiveness of your cybersecurity program through an independent assessment to provide a basis for submitting certification of compliance to the superintendent.

To learn more about how Johnson Lambert’s advisory services can assist your organization, contact our team today.w Johnson Lambert’s advisory services can assist your organization, contact our team today.

Carly Kanwisher

Carly Kanwisher

Senior Manager - Business Advisory Services

Have questions about how cybersecurity standards are evolving?

Reach out to our team today.

Contact Us

NYDFS’s Second Amendment to 23 NYCRR Part 500 is Reshaping Cybersecurity Standards

On November 1, 2023, the New York Department of Financial Services (NYDFS) finalized the second amendment to its cybersecurity regulation, 23 NYCRR Part 500 (the Second Amendment), marking a significant shift in the regulatory landscape. As we approach the one-year mark, the additional requirements introduced by this amendment are set to take effect through November 2025. In this article, we’ll delve into the key changes between the first and second amendments and examine their broader impact on the cybersecurity regulatory environment.

The Cybersecurity Regulatory Landscape

The NYDFS Part 500 Cybersecurity Regulation is a yardstick for cyber regulation across the country. This is evidenced by the NAIC Data Security Model Law (Model Law). The Model Law seeks to establish data security standards for regulators and insurers to mitigate the potential damage of a data breach. The Model Law is a proposed set of guidelines that states can adopt and was created based in part on Part 500. 
As of August 2024, the Model Law has been adopted by 25 states and is pending in four additional states. Since its creation in 2018, adoption has steadily progressed throughout the US and is expected to continue to grow. Updates to Part 500 will likely ripple through other states’ cyber legislation.

Second Amendment Requirements

Part 500 was amended for the first time in April 2020. In the last four years, the cybersecurity threat landscape has changed dramatically, and regulation is catching up to ensure the integrity and security of financial systems and consumer data. 

Below is a high level summary of the requirements from the Second Amendment, click to see detailed explanation:

The qualifications for Class A companies depend on gross revenue and employees (over 2,000 employees averaged over the last two fiscal years, including employees of both the covered entity and all of its affiliates regardless of location, or over $1,000,000,000 in gross annual revenue in each of the last two fiscal years from all business operations of the covered entity and all of its affiliates). See Class A Determination Tool to help determine if your company is subject to this categorization (calculations only work when a document is downloaded, the web version cannot).

Class A companies are required to design and conduct independent audits of its cybersecurity program based on their risk assessment.

The original Part 500 includes a comprehensive list of policies that are required. The additional policies in the second amendment require formal documentation of an end of life management, remote access, and vulnerability and patch management policies and procedures. The second amendment also specifies that the policies must be approved annually by the senior governing body. This annual review requirement is restated in 500.08 to include all “procedures, guidelines and standards.”

Additional policies:
(h) Security awareness and training
(o) Vulnerability management

Updated policies (updated portion bolded):
(b) data governance, classification and retention
(c) asset inventory, device management and end of life management
(d) access controls, including remote access and identity management
(g) systems and network security and monitoring;
(i) systems and application security and development and quality assurance
(n) incident response and notification

In addition to the policies listed in 500.3, policy requirements are highlighted later in the regulation that can be assumed to be covered in the categories listed in 500.3. An example is Encryption (500.15).

The expansion of governance continues with additional requirements for the CISO and board of directors or senior governing body. Currently, the CISO is required to report to the Board of Directors annually on the company’s cybersecurity program and material cybersecurity risks. The Second Amendment requires additional annual reporting to the board of directors on plans for remediating inadequacies, as well as timely reporting on material cybersecurity issues or significant cybersecurity events.

Given enhanced reporting to the board of directors, the Second Amendment specifies that the Board of Directors is required to have sufficient knowledge and expertise of cybersecurity related matters or be advised by such persons, to exercise effective oversight of cybersecurity risk management.

The scope of penetration testing expands to include both internal and external scans and must be conducted by a qualified internal or external party. Vulnerability scans must be automated with a manual review of systems not covered by such scans in addition to a process to monitor and remediate vulnerabilities. Vulnerabilities and issues found in these scans must be remediated timely based on their risk.

Privileged accounts, as defined, must be limited to only those necessary to perform the user’s job function and require access to be removed as soon as it is no longer needed. A periodic review of all user access privileges supports this limitation.

The guidance takes security a step further by requiring additional access controls:
Disable or securely configure the ability to remotely access devices,
Promptly terminate access following departures,
If passwords are used as an authentication method, they have to comply with the company’s password policy.

Class A companies must have a privileged access management solution and an automated method of blocking commonly used passwords

The risk assessment requirement is strengthened to require that the risk assessment must be reviewed “at a minimum annually, and whenever a change in the business or technology causes a material change to the covered entity’s cyber risk.”

MFA is required for remote access to the company’s information systems, third party applications that access the National Provider Identifier (NPI), and all privileged accounts other than service accounts that prohibit interactive login. However, there is an exception for instances where reasonably equivalent or more secure compensating controls are documented and are approved by the CISO in writing. Compensating controls must be periodically reviewed based on the company’s risk assessment but at a minimum annually.

Both assets and access issues revolve around lack of controls over sensitive data. The asset inventory is one of the more significant updates in the Second Amendment. Previously, this section only had a requirement for disposal of NPI that is no longer needed for business operations. The amendment requires an asset inventory for all information systems and their supporting components. This includes a variety of items such as hardware, operating systems, applications, infrastructure devices, APIs, and cloud services. Key information must be tracked including the information owner, location, classification, support expiration date, and recovery time objectives.

The Second Amendment requires that emails are monitored and filtered to block malicious content. It also expands annual cybersecurity awareness training to include training on phishing emails and other social engineering methods. Remember, employees represent the greatest security risk to an organization and training represents a simple, yet effective, defense.

Endpoint detection must be implemented to monitor the network and include centralized logging and security event alerting. If this is not in place, the CISO must have, in writing, the use of reasonably equivalent or more secure compensating controls.

Encryption requirements are updated to include an encryption policy. The allowance that if encryption is infeasible for nonpublic information at rest has been updated to require the compensating controls be reviewed by the CISO at least annually.

In one of the largest section updates to the Second Amendment, the updated requirements for the business continuity and disaster recovery (BCDR) and incident response plans (IRP) help clarify the identification, response, and remediation of events. 

IRPs must be updated to include goals, internal processes for responding to the cyber events. If a cybersecurity event occurs, the Company is required to prepare a root cause analysis including what will be done to prevent reoccurrence.

BCDR plans are required to designate essential data and personnel, communication plans, back-up facilities, and identifying necessary third parties. Companies are required to document procedures for the maintenance of back-up facilities, systems, and infrastructure as well as alternative staffing.

Companies must maintain backups necessary to restore material operations that are adequately protected from unauthorized alterations or destruction.

The IR and BCDR plans require testing at least annually with all staff who are critical to the response. These plans must be available to all applicable employees and a copy must be available at an offsite location.

The company is required to provide training to all employees responsible for implementing the plans. The plans also need to be reviewed and updated by all participants.

Section 500.17 retains the 72-hour notification rule for a cybersecurity event and also applies to cybersecurity events at affiliates and third party service providers that affect a covered entity. After notice of the cybersecurity event, covered entities are required to promptly provide any information requested by the superintendent regarding the event. And, covered entities have a continuing obligation to update and supplement the information provided.

Two additional notification requirements apply to extortion payments related to a cybersecurity event: 

  • Notice of the extortion payment within 24 hours, and
  • A written description for why the payment was necessary, alternatives that were considered, and sanction diligence conducted within 30 days of the extortion payment.

The annual submission deadline to the superintendent is changed from February 15 to April 15. Submissions that identify areas of improvement must include remediation plans in the submissions. The certification allows for an acknowledgement of less-than-full compliance, with identification of specific deficiencies. However, companies must be prepared to provide the NYDFS with documentation of a remediation timeline or confirmation that remediation has been completed. The certification must be signed by the entity’s highest ranking executive and its CISO, and based on documentation to demonstrate compliance. 

Curious if you qualify for an exemption? See Exemption Flowchart or Exemption Determination Tool to help you make this determination.

Second Amendment Deadlines

The Second Amendment to Part 500 requirements will take effect in phases. These phases will depend on a handful of classifications companies fall into (small businesses, class A companies, covered entities). See the following timeline for key compliance dates for the various categories: small businesses, Class A businesses, and covered entities. These deadlines for the Second Amendment started December 1, 2023 and will continue through November 1, 2025.

To prepare for the extensive list of enhanced cybersecurity requirements, begin by reviewing your cybersecurity program,identifying areas for improvement, and assessing whether your organization has the internal resources needed to address these. NYDFS has a handy template that can help you start this process. Johnson Lambert’s advisory and consulting practice can support your team in developing a comprehensive plan. We can assist with:

  • Conducting a gap analysis to evaluate your current cybersecurity program by engaging key personnel, reviewing policies, and performing walkthroughs to identify potential vulnerabilities. We’ll collaborate with management to provide risk assessments and recommendations for improvement.
  • Creating a compliance roadmap by helping you outline the necessary steps to enhance your cybersecurity processes and effectively communicate these strategies with your team.
  • Testing the effectiveness of your cybersecurity program through an independent assessment to provide a basis for submitting certification of compliance to the superintendent.

To learn more about how Johnson Lambert’s advisory services can assist your organization, contact our team today.w Johnson Lambert’s advisory services can assist your organization, contact our team today.

Carly Kanwisher

Carly Kanwisher

Senior Manager - Business Advisory Services