November 1, 2024 marked the one-year anniversary of the second amendment to the New York Department of Financial Services’ (“NYDFS” or the “Department”) Cybersecurity Regulation (the “Regulation” or “Part 500”). In Part One of this Debevoise Data Blog post series, we discussed the Part 500 requirements that came into effect on November 1, 2024. In this Part Two, we look at what constitutes “material compliance” under Part 500, which has been a key focus area for covered entities as they work to align company practices to Part 500’s new requirements and prepare for their April 2025 certification of material compliance with Part 500 for calendar year 2024.
Material Compliance Under Part 500
Under Section 500.17(b)(1), covered entities are required to file a yearly certification stating that the entity materially complied with the Part 500 requirements during the prior calendar year. This certification must be signed by the covered entity’s highest-ranking executive (e.g., CEO) and its CISO, and must be based on data and documentation that is “sufficient to accurately demonstrate such material compliance.” Alternatively, if the entity cannot certify that it was materially compliant with Part 500, it must file an acknowledgement of noncompliance, signed by the CEO and CISO, noting with which specific requirements of Part 500 it was not materially compliant. Covered entities should note that these certifications are not made public, and NYDFS does not publish the compliance status of covered entities.
The NYDFS has not provided a clear definition for what it considers as “material compliance,” leaving the materiality determination up to each entity to assess based on their individual circumstances.
In its Part 500 FAQs, the NYDFS states that “[a] Covered Entity must determine whether any noncompliance with the Cybersecurity Regulation was significant in the overall context of the Covered Entity’s circumstance.” Similarly, in its Assessment of Public Comments (“APC”), the NYDFS notes that “[w]hether a covered entity has materially complied with the requirements of Part 500 applicable to them depends upon many factors, including both the severity of compliance failures and the length of time of those failures.” There is no bright-line rule as to either material compliance or noncompliance but, as discussed below, it is quite clear that the mere existence of a controls deficiency does not per se mean that the covered entity was not materially compliant.
To make the determination whether one or more lapses in Part 500 compliance would require the filing of an acknowledgement of noncompliance, the NYDFS notes in its FAQs that entities should consider, among others, the following factors:
- the industry in which the entity operates;
- the size of the entity;
- the type and amount of data the entity maintains;
- the nature of the noncompliance;
- the duration of the noncompliance;
- the scope of the noncompliance;
- the impact of the noncompliance; and
- other instances of noncompliance of similar nature.
Notably, the same type of noncompliance may be considered material at one entity and immaterial at another, depending on the circumstances. For example, in their FAQs, NYDFS notes that “a single event involving an inadvertent lapse in the operation of the Cybersecurity Program of short duration and with no or minimal impact is not likely to be considered an instance of material noncompliance.” As such, whether a period of noncompliance is material may depend on the damage caused by that noncompliance. A lapse in MFA controls for several hours might normally be non-material, but could be considered material if (1) the MFA was associated with an account that has very sensitive data, (2) that account is known to be routinely under attack, and (3) during the period of noncompliance, a threat actor exploited the gap to access and acquire the sensitive information. Additionally, NYDFS notes that “several immaterial violations, when considered in the aggregate, might constitute a material violation.”
At least in theory, the converse is also true: a lapse in Part 500 controls that contributes to unauthorized access to the covered entity’s information systems does not necessarily mean that the entity was not materially compliant with the Regulation. The APC clarifies that an entity “that has violated Part 500… may still be able to certify compliance if the covered entity determines, based upon relevant factors such as the nature and length of the violation, that it materially complied with the requirements set forth in Part 500 during the prior calendar year.”
Part 500 does not provide for any explicit safe harbors. For example, the NYDFS declined to include a provision allowing a covered entity to certify material compliance if it remediated identified gaps within a certain time frame. Instead, based on NYDFS guidance, the fact that a covered entity identified and fixed a gap in its Part 500 compliance within a short time frame does not in and of itself mean that the gap was non-material. The entity must still make a holistic assessment as to the nature of the gap and any impacts that it might have had on the covered entity’s operation.
Practical Considerations
In short, it is up to each individual entity to assess for itself whether the cybersecurity controls that they have in place are sufficient to meet the standard of material compliance under Part 500, taking into account the specific circumstances and risks relevant to that entity. In order to make these determinations, some helpful areas to consider may include:
- Risk Assessments. Under 500.9, covered entities are required to conduct periodic risk assessments of their information systems, which are useful tools for assessing which areas of their cybersecurity program are key to their holistic cyber hygiene and require the most resources. Areas that come up the most often in a company’s risk assessment are also the ones that NYDFS is more likely to look at when determining whether a company has materially complied with its Part 500 requirements.
- Documentation and Record Keeping. Covered entities should document their decision-making surrounding material compliance certification, including how they assessed material compliance, the levels of review that decisions went through, and any factors that the entity considered. Not only is the maintenance of “documentation and data supporting [covered entity] determinations” required by NYDFS, but documentation of a robust process can prove valuable in the event the determination is subsequently questioned, as we have previously recommended in the context of the SEC’s rule requiring disclosure of material cybersecurity incidents.
- Reporting and Communication Channels. Covered entities should consider putting reporting channels in place that are sufficient to keep their CISO informed of all relevant aspects of the cyber program. Proper communication at all levels of an organization helps ensure that CISOs have the data necessary to make an informed assessment of the company’s compliance with Part 500.
- Implementation Roadmaps. Covered entities should track the phased effective dates for the revised Part 500 requirements, as noted in the NYDFS’s implementation timelines. While providing covered entities with additional time to come into compliance, the phasing creates additional tracking needs vis-à-vis the material compliance standard, as the requirements that entities must comply with evolve throughout the year. For example, in the April 2025 certification covering the 2024 calendar year, covered entities will be certifying compliance with the updated 500.15 requirement around encryption policies for only November and December 2024, as that new requirement came into effect on November 1, 2024.
- Root Cause Reports. The Department opined that a lapse in MFA controls that leads to a breach could represent that a covered entity was not materially compliant with the Regulation. Taking that analysis further, companies should consider reviewing root cause reports to determine whether a breach stemmed from a lapse in controls required by Part 500, as noncompliance resulting in a cybersecurity incident is more likely to be material.
- Compliance Reviews. As noted above, temporary lapses in Part 500 compliance do not necessarily mean that a covered entity was not materially compliant with the Regulation. To that end, covered entities may want to implement regular reviews of their cyber program to ensure that any compliance gaps are identified and remediated promptly in order to retain the ability to credibly argue that the gaps were not material.
***
To subscribe to the Data Blog, please click here.
The Debevoise Data Portal is an online suite of tools that help our clients quickly assess their federal, state, and international breach notification and substantive cybersecurity obligations. Please contact us at dataportal@debevoise.com for more information.
