New NYDFS requirements go into effect November, 2024
The New York Department of Financial Services (NYDFS) first announced its cybersecurity requirements for financial services companies in 2017. Regularly updated, this robust set of requirements, including its 72-hour reporting requirement upon determination that a Cybersecurity Incident has occurred, require any ‘covered entity’[1] to pay close attention to their obligations.
Under the regulations, a covered entity is broadly construed to include partnerships, corporations, branches, agencies, and associations if licensed or otherwise authorized under the relevant New York insurance law, banking law, or financial services law, as well as Health Maintenance Organizations (HMOs), Continuing Care Retirement Communities (CCRCs), New York-based branches of global entities, not-for-profit Mortgage Brokers and even certain Exempt Mortgage Loan Servicers.
The NYDFS has since continued to amend the requirements, with the newest requirements going onto effect in November 2024. The McDonald Hopkins Data Privacy and Cybersecurity team can assist any covered entity in determining whether they’re explicitly exempted and in making preparations for compliance with the new requirements. Even exempt entities have obligations, including Multi-Factor Authentication compliance and ongoing cybersecurity training that are in effect as of November, 2024.
-
Cybersecurity Governance
Senior leadership has additional obligations under the new NYDFS requirements[2]. Covered entities must designate a Chief Information Security Officer, or CISO. The CISO must prepare an annual written report on the entity’s cybersecurity program and risks for senior governing bodies which must, among other matters, address material inadequacies and plans for remediation. In addition, any material cybersecurity issues and any changes to any cybersecurity programs must be reported up. For their part, senior governing bodies, which may include Boards of Directors and/or a designated committee, senior officers, or an appropriate third party provider, must not only receive the CISO’s reports but exercise sufficient oversight over cybersecurity risk management. If a covered entity outsources their CISO and other requirements, the entity is still ultimately responsible for ensuring compliance with the new regulations.
-
Encryption of Nonpublic Information (NPI)
The requirements for encryption of nonpublic information as a default are increasing[3]. Covered entities must implement a written policy incorporating industry-standard encryption to protect all nonpublic information. Nonpublic information (NPI) is broadly construed to cover “all electronic information that is not Publicly Available Information” including business related information, information that could identify an individual in combination with a Social Security number, driver’s license number or other data, and health care related information.
Encryption will be required when transmitting NPI over external networks. An existing alternative to encryption, the so-called effective alternative compensating controls, will no longer be allowed as of November, 2024. Compensating controls are still allowed in place of encryption for NPI at rest, but this must be explicitly set forth as a written policy by the CISO.
-
Incident Response and Business Continuity Management
The NYDFS already requires covered entities to maintain incident response plans[4]. Covered entities will also be required to maintain business continuity and disaster response plans that consider, among other concerns, cybersecurity-related disruptions. Once in place, these plans must be taught to relevant employees, tested, and revised as necessary. The NYDFS specifically requires that backup viability be prioritized, both in maintaining sufficient backups and being able to restore from them.
The NYDFS’ new regulations continue to evolve and demand awareness and vigilance to maintain compliance. If you have questions about satisfying NYDFS cybersecurity compliance, have questions about national privacy requirements, or think you might have experienced a cybersecurity incident, contact a member of McDonald Hopkins' national cybersecurity and data privacy team.
[1] The NYDFS definition of ‘Covered Entity’ is distinct from the definition and meaning under HIPAA.
[2] 23 NYCRR Section 500.4
[3] 23 NYCRR Section 500.15
[4] 23 NYCRR Section 500.16