New York cybersecurity regulations were to take effect on January 1, 2017, as proposed by New York Governor Andrew Cuomo, which we wrote about here. But after leaders in the financial community voiced concern over the rules in late December, the effective date for the new cybersecurity regulations was pushed back to March 1, 2017 after conducting a hearing on the matter. The proposed regulations impact banks, financial institutions, and insurance providers conducting business in New York. The regulations are meant to improve cybersecurity measures taken by all financial institutions in the state spanning from big Wall Street banks to local community banks.

The new regulations are designed to bring cybersecurity and cyber threat awareness to the attention of businesses that are heavily involved in financial matters for the public. These financial institutions are entrusted with the public’s hard-earned money, and there is an ever-increasing risk of data security breaches. Banks, financial institutions and insurance companies need to take responsibility for protecting customer data and accounts.

A Rush to Comply With the New York Cybersecurity Regulations

The banks, financial institutions and the insurance companies fought to get a compliance extension for the new regulations because for some, compliance required a lot of effort. Under the new cybersecurity regulations many entities must perform system upgrades, implement new security measures, and develop a number of plans, all of which takes time to accomplish. Many entities covered under the new regulations were scrambling to get their systems into compliance.

More than 150 covered entities penned letters to New York lawmakers lobbying to get the deadline for compliance pushed back from the quickly approaching January 1 compliance date. Additionally, opponents to the new regulation urged lawmakers to amend the regulations.

Issues Raised By Covered Entities About the New Regulations

Some of the concerns raised by banks and insurance companies include the cost associated with compliance being too high, the regulations being tough on the financial industry, and the new regulations being out of sync with other government entities that have been required to adopt cybersecurity regulations, such as the Federal Reserve and the Federal Deposit Insurance Corporation. Additionally, under the regulations, banks are forced to hire Chief Information Security Officers if they do not already have one. Incident reporting is also a concern — all cybersecurity incidents would need to be reported under the new regulations, even if the threat is managed by the covered entity. Incident reports could be accessed by the public under the Freedom of Information Act, potentially exposing how many threats financial institutions regularly face.

23 NYCRR Part 500: The Regulation’s Full Scope and Enforcement History

The New York Department of Financial Services (DFS) cybersecurity regulation — codified at 23 N.Y.C.R.R. Part 500 — took effect in phases beginning March 1, 2017 and has since been significantly expanded. Understanding the full scope of the regulation, its amendment history, and the DFS’s aggressive enforcement track record is essential for any covered entity.

Who Is Covered Under 23 NYCRR Part 500?

The regulation applies to any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation, or similar authorization under New York Banking Law, Insurance Law, or Financial Services Law. This encompasses a broad universe of entities: state-chartered banks, licensed mortgage servicers, insurance companies, licensed money transmitters, check cashers, budget planners, premium finance agencies, and others. Foreign banks with New York branches are covered. The breadth of coverage is intentional — DFS designed the regulation to reach the full range of financial services entities that handle New York consumers’ financial data.

Key Requirements Under 23 NYCRR Part 500

The core requirements of 23 NYCRR Part 500 include:

• Cybersecurity program and policy (Sections 500.02 and 500.03). Covered entities must maintain a cybersecurity program based on a risk assessment, and must adopt written cybersecurity policies addressing a defined set of core areas including data governance, access controls, business continuity, and customer data privacy.
• Chief Information Security Officer (Section 500.04). Each covered entity must designate a CISO responsible for overseeing and implementing the cybersecurity program. The CISO must report at least annually to the board of directors or equivalent governing body.
• Penetration testing and vulnerability assessments (Section 500.05). Covered entities must conduct annual penetration testing of their information systems and quarterly vulnerability scans.
• Multi-factor authentication (Section 500.12). MFA is required for any individual accessing the covered entity’s internal networks from an external network, and for any privileged accounts.
• Encryption (Section 500.15). Covered entities must implement encryption to protect nonpublic information in transit over external networks and, to the extent feasible, at rest.
• Third-party service provider security (Section 500.11). Covered entities must implement written policies and procedures governing the cybersecurity practices of third-party service providers and must include cybersecurity representations in contracts with providers that access the covered entity’s nonpublic information.
• Incident notification (Section 500.17). Covered entities must notify DFS within 72 hours of determining that a cybersecurity event has occurred that requires notice to any government body, self-regulatory agency, or other supervisor, or that has a reasonable likelihood of materially affecting the covered entity.

The 2023 Amendments: Expanded Requirements

In November 2023, DFS adopted sweeping amendments to 23 NYCRR Part 500 that significantly expanded its requirements. The amendments created a new category of “Class A” covered entities — those with over 2,000 employees or over $1 billion in gross annual revenue — subject to heightened requirements, including independent audits of cybersecurity programs. The amendments also added new requirements for all covered entities: annual board-level approval of cybersecurity budgets, policies for monitoring privileged access, enhanced multi-factor authentication requirements, and new provisions addressing cloud services and supply chain risk.

DFS Enforcement Actions

DFS has demonstrated willingness to bring enforcement actions with substantial penalties against companies that violate 23 NYCRR Part 500. In 2021, DFS assessed a $4.5 million penalty against National Securities Corporation for cybersecurity failures after a phishing attack. In 2022, DFS assessed a $5 million penalty against EyeMed Vision Care for security failures connected to a phishing attack that compromised the personal information of 2.1 million individuals. In 2023, DFS assessed an $11.3 million penalty against OneMain Financial Group for multiple violations of Part 500. These enforcement actions demonstrate that DFS treats cybersecurity compliance as a genuine enforcement priority, not merely a regulatory formality.

Contact a Cybersecurity Lawyer

The revision to the New York cybersecurity regulations just goes to show how this area of law is under constant pressure. Changes and revisions are being made all the time to address new cyber security threats and risk. Revision Legal works extremely hard to stay current on the dynamic nature of cyber security and DFS compliance. Contact the experienced cybersecurity attorneys at Revision Legal using the form on this page or call us at 855-473-8474.