Search for:
Debevoise Data Blog
Cybersecurity

NYDFS Part 500, One Year Later (Part One) – New Requirements Effective November 1, 2024

By: , , and

November 1, 2024, marks the one-year anniversary of the second amendment to the New York Department of Financial Services’ (“NYDFS” or the “Department”) Cybersecurity Regulation (the “Regulation” or “Part 500”). It is also the date that a number of new requirements under Part 500 come into effect, including requirements surrounding governance, encryption, and incident response and business continuity planning.

In Part One of this two-part Debevoise Data Blog post, we go over the new cybersecurity requirements coming into effect in November and provide a few practical considerations that covered entities may want to consider as they evaluate their Part 500 compliance. Part Two will cover the definition of “Material Compliance” under Part 500, which many covered entities will be considering as they work to update their policies and procedures in light of the new requirements.

New Rules Effective November 1, 2024

The amended Part 500 became effective on November 1, 2023, but some elements had longer compliance windows. Many sections of the amended Part 500 had transition periods that ranged from several months (including for new risk assessment, penetration testing, and audit requirements), to one or more years (including for amended MFA and asset inventory requirements).

The following amended requirements had one-year transition periods, and will come into effect on November 1, 2024:

  • Additional Board Reporting: CISOs are required to report annually to the board (or senior governing body) on plans for remediating material inadequacies, as well as to timely report to the board on “material cybersecurity issues, such as significant cybersecurity events and significant changes to the… cybersecurity program.” [500.4(b) and (c)]
  • Board Oversight: The board or senior governing body of covered entities must exercise oversight of cybersecurity risk management by (1) “having sufficient understanding of cybersecurity-related matters to exercise such oversight, which may include advice of advisors”; (2) requiring management to “maintain the covered entity’s cybersecurity program”; (3) “regularly… reviewing management reports about cybersecurity matters”; and (4) confirming that management has “allocated sufficient resources to implement and maintain an effective cybersecurity program.” [500.4(d)]
  • Encryption: Covered entities must implement a written encryption policy which meets industry standards. Covered entities are no longer permitted to implement compensating controls as alternatives to encryption of nonpublic information in transit over external networks, but they are permitted to use compensating controls for encryption of nonpublic information at rest upon receiving written approval from the CISO. [500.15]
  • Incident Response Plans: Incident response plans need to address “recovery from backups” and “root cause analyses that describes how and why the event occurred, what business impact it had, and what will be done to prevent reoccurrence”. [500.16(a)(1)]
  • BCDR Plans: Covered entities are required to have a BCDR plan to ensure the availability of the covered entity’s information systems and material services. Such plans shall: (1) “identify documents, data, facilities, infrastructure, services, personnel and competencies essential to the continued operations of the covered entity’s business”; (2) “identify the supervisory personnel responsible for implement each aspect of the BCDR plan”; (3) “include a plan to communicate with essential persons in the event of a cybersecurity-related disruption”; (4) “include procedures for the timely recovery of critical data and information systems”; (5) “include procedures for backing up… information essential to the operations of the covered entity and storing such information off-site”; and (6) “identify third parties that are necessary to the continued operations of the covered entity’s information systems.” [500.16(a)(2)]

Practical Considerations

The new requirements coming into effect in November provide an opportunity for covered entities to analyze their holistic compliance with Part 500. As they work to update their practices to comply with the new requirements, covered entities may want to consider:

  • Gap Assessments: Conducting gap assessments between their cybersecurity program and the Part 500 requirements, can help ensure covered entities are in compliance with both the new requirements coming into effect in November, as well as the requirements already in effect. Covered entities may also want to consider cybersecurity-related AI risks in their gap assessments, in light of the NYDFS’s recent AI guidance.
  • Board Briefings and Tabletops: As Part 500’s new board oversight requirements come into effect, covered entities may want to consider holding cybersecurity tabletop exercises for their executive teams and increasing board briefings to ensure that that senior management and board are aware of the entity’s cyber risk landscape and security gaps. Registrants and other SEC-regulated entities can also use this opportunity to demonstrate their proactive efforts to reduce cyber risk to the SEC, which continues to scrutinize information security and operational resiliency practices at regulated entities.
  • Policy Updates: Covered entities may want to review language in their incident response and business continuity policies and plans to ensure that they track the Part 500 requirements, such as the requirement to complete incident root cause analyses following an incident.
  • Out of Band Communications: Covered entities may want to consider proactively setting up out-of-band communications that can be activated in the event that a cybersecurity incident affects normal communication channels. As part of this process, entities should consider ensuring that any out-of-band communication channels are compliant with applicable security and retention requirements. While many companies have tools to push out a one-way message in case of emergency, it is helpful to have a platform that allows for the exchange of emails and attachments in the event of an incident.
  • Preparedness for Upcoming Requirements: The Part 500 requirements that are likely to be the most labor-intensive are still ahead. Starting November 1, 2025, companies will be required to implement MFA for all individuals accessing information systems and to develop policies and procedures for the creation of a complete and accurate asset inventory. For many companies, these requirements will require significant time and resources to implement, and companies may want to have budgets approved and workplans in progress to ensure that they are compliant by November 1, 2025.

***

To subscribe to the Data Blog, please click here. 

The Debevoise Data Portal is an online suite of tools that help our clients quickly assess their federal, state, and international breach notification and substantive cybersecurity obligations. Please contact us at dataportal@debevoise.com for more information.

The cover art used in this blog post was generated by Microsoft Copilot.

Author

Avi Gesser is Co-Chair of the Debevoise Data Strategy & Security Group. His practice focuses on advising major companies on a wide range of cybersecurity, privacy and artificial intelligence matters. He can be reached at agesser@debevoise.com.

Author

Erez is a litigation partner and a member of the Debevoise Data Strategy & Security Group. His practice focuses on advising major businesses on a wide range of complex, high-impact cyber-incident response matters and on data-related regulatory requirements. Erez can be reached at eliebermann@debevoise.com

Author

Stephanie D. Thomas is an associate in the Litigation Department and a member of the firm’s Data Strategy & Security Group and the White Collar & Regulatory Defense Group. She can be reached at sdthomas@debevoise.com.

Author

Josh Goland is an associate in the Litigation Department.

Related Posts