On November 1, 2023, the New York State Department of Financial Services (NYDFS) amended Cybersecurity Regulation 23 NYCRR 500 (or Part 500). NYDFS has published guidance regarding implementation schedules for key compliance deadlines for various categories of affected entities, including small businesses, Class A businesses, and covered entities. In addition, NYDFS has published training materials and FAQs regarding the new requirements.
the current December 1, 2023small businesses, Class A businesses, and covered entities are now required to report cyber incidents, including ransomware attacks, to NYDFS.
The next important deadline is April 15, 2024, to comply with Section 500.17(b) of Part 500, as amended. This requires all businesses to submit important proof of compliance. or Admission of Non-Compliance with NYDFS. NYDFS states in its FAQ that “if a covered entity cannot demonstrate that it was in substantial compliance with the cybersecurity regulations during the prior calendar year, it must: (1) provide a written acknowledgment that the covered entity was not materially in compliance; must submit an acknowledgment of non-compliance by the Comply with all requirements applicable thereto. (2) Identify all sections of Part 500 with which the covered entity is not materially in compliance. (3) describe the nature and extent of such noncompliance; (4) provide a timeline for remediation or confirmation that remediation has been completed; 500.17(b). ”
by April 29, 2024, Covered entities and Class A companies are subject to most of the provisions under Part 500, as amended, such as 500.2(c), 500.3, 500.5(a)(1), (b), and (c), 500.9, and 500.14( A)(3)). This includes updating internal risk assessments. This should be done at least once a year, or on an ongoing basis whenever operational or technology changes result in a material change to the cyber risk of the business. In addition, you must comply with certain testing, monitoring, training, and auditing requirements.
Under Part 500, as amended, material compliance does not require absolute compliance. However, companies should take a risk-based approach to assess their compliance needs and conduct an overall gap analysis of their current cybersecurity programs to comply with the amendments under Part 500.
