+44 (0) 121 582 0192 [email protected]

New York’s Cybersecurity Regulation Update: What You Need to Know About the November 2024 Amendments

by | ThuDecJ | Canada, China, North America, United Kingdom, United States

Cybersecurity Regulation (23 NYCRR Part 500) Formiti

Introduction

The New York Department of Financial Services (NYDFS) has made significant updates to its Cybersecurity Regulation (23 NYCRR Part 500), with amendments coming into effect on 1st November 2024. These changes aim to address evolving cyber threats and reinforce the cybersecurity posture of regulated entities. Here is an overview of the key requirements introduced by the amendments.

 

Requirements for Class A and Standard Companies

The amendments introduce a two-tier classification system for regulated entities: Class A Companies (large organisations with extensive operations and resources) and Standard Companies (smaller entities).

Class A Companies face stricter compliance obligations, including:

  • Annual Risk Assessments performed by qualified third-party auditors.
  • Automated Monitoring of privileged accounts to prevent insider threats.
  • Real-time monitoring and alerting systems to identify suspicious activities.

Standard Companies must continue adhering to baseline cybersecurity requirements but benefit from a slightly reduced compliance burden. This distinction ensures the regulation scales appropriately to company size and risk exposure.

Cybersecurity Governance

The Cybersecurity Regulation (23 NYCRR Part 500) amendments place a heightened emphasis on cybersecurity governance by requiring boards of directors or senior management to oversee cybersecurity strategies. Key governance updates include:

  • Annual approval of the organisation’s cybersecurity programme by the board.
  • Quarterly updates to the board or senior management on cyber risks, incidents, and remediation efforts.
  • Appointment of a Chief Information Security Officer (CISO) with clearly defined responsibilities, including reporting to the board.

By embedding cybersecurity into the highest levels of organisational governance, the regulation ensures that decision-makers remain informed and accountable.

Encryption of Nonpublic Information (“NPI”)

Data protection is at the heart of the amendments, with specific mandates for the encryption of Nonpublic Information (NPI). Companies must:

  • Encrypt all NPI in transit and at rest using industry-standard encryption protocols.
  • Implement robust key management processes to prevent unauthorised decryption.
  • Regularly review encryption measures to ensure ongoing compliance.

The focus on encryption reflects the regulation’s commitment to safeguarding sensitive information against unauthorised access and data breaches.

Incident Response and Business Continuity Management

The new amendments strengthen requirements for incident response and business continuity management, acknowledging the increasing sophistication of cyberattacks. Regulated entities must:

  • Maintain an updated Incident Response Plan (IRP) with clear procedures for detecting, responding to, and recovering from cybersecurity incidents.
  • Conduct annual incident response exercises to test the plan’s effectiveness.
  • Develop and maintain a Business Continuity and Disaster Recovery Plan to ensure rapid restoration of critical operations after an incident.

These measures aim to minimise disruption, financial losses, and reputational damage following a cybersecurity event.

Requirements for Small Businesses with Partial Exemptions

Recognising the resource constraints of smaller entities, the amendments provide tailored requirements for small businesses that qualify for partial exemptions. While exempt from some obligations, these businesses must still:

  • Maintain a cybersecurity policy tailored to their risk profile.
  • Perform regular risk assessments and address identified vulnerabilities.
  • Implement measures to secure NPI.

This balanced approach ensures smaller businesses remain protected without facing undue compliance burdens.

Multi-Factor Authentication (MFA)

The Cybersecurity Regulation (23 NYCRR Part 500) amendments elevate the importance of multi-factor authentication (MFA) as a critical defence mechanism. Regulated entities must implement MFA for:

  • Remote access to internal networks.
  • Access to privileged accounts and critical systems.
  • Third-party service providers accessing company systems.

MFA has proven to be one of the most effective ways to mitigate unauthorised access and is now a cornerstone of compliance under the updated regulation.

Cybersecurity Training

Acknowledging the role of human error in cybersecurity incidents, the Cybersecurity Regulation (23 NYCRR Part 500) mandates cybersecurity training for all employees. Training requirements include:

  • Annual cybersecurity awareness sessions tailored to an employee’s role.
  • Phishing simulations to assess and enhance employees’ ability to detect malicious emails.
  • Training for executives and board members on governance responsibilities and cyber risk management.

By prioritising a cyber-aware culture, the regulation ensures that employees become an active line of defence.

Conclusion

The November 2024 amendments to New York’s Cybersecurity Regulation represent a significant step forward in enhancing the cyber resilience of regulated entities. With requirements spanning governance, encryption, incident response, and training, businesses must act swiftly to ensure compliance.

At Formiti Data International, we offer tailored project services to help organisations meet these stringent requirements, including risk assessments, encryption implementations, and incident response planning. Our Outsourced Data Protection Officer (DPO) services provide ongoing compliance support, enabling you to navigate regulatory complexities with confidence.

Contact us today to ensure your organisation’s compliance with the updated New York Cybersecurity Regulation while strengthening your overall cybersecurity framework.