New York Department of Financial Services Finalizes Amended Cybersecurity Regulations

7 minute read | December.07.2023

On November 1, the New York Department of Financial Services (NYDFS) amended its cybersecurity regulations to set additional notification, administrative, training and technical requirements.

The Amended Cybersecurity Regulations make clear that the “commission of a single act prohibited by,” or the failure to act to satisfy, a required obligation in the Amended Regulations constitutes a violation. Although most of the Amended Regulations set new technical, training and administrative standards (as well as new notification obligations), some aspects will codify existing regulatory expectations and streamline current practices.

NYDFS said the Amended Regulations are intended to “build on our risk-based approach to integrate cybersecurity with enhanced governance, more robust access controls and assessments, updated reporting rules including for ransomware, and requirements for personnel training, these regulations raise the bar for cyber resilience.”

Here’s a look at significant additions to the Amended Regulations, including:

Revisions to reportable incidents and associated events.
Heightened governance requirements.
Administrative requirements to strengthen identity and access management.
Technical multifactor authentication requirements.
The timeline for compliance.

Who Is Covered

The scope of covered entities remains unchanged and covers any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, Insurance Law or Financial Services Law. This would include money transmitters, BitLicensees, mortgage companies and insurance companies.

Notification Obligations

NYDFS has expanded reportable cybersecurity events to cover all ransomware events in addition to previously reportable events. The changes also codify the current practice of requiring entities to report incidents at affiliate and/or third-party locations.

In addition to the 72-hour reporting requirement, NYDFS will now require all covered entities to report within 24 hours any ransomware or extortion payment made in connection with a cybersecurity event. And within 30 days, entities must provide “a written description of the reason payment was necessary, a description of alternatives to payment considered, all diligence performed to find alternatives to payment and all diligence performed to ensure compliance with applicable rules and regulations including those of the Office of Foreign Assets Control.”

Heightened Governance Requirements

Consistent with recent multistate regulatory enforcement actions, the Amended Regulations seek to expand the duties and obligations of the board or other senior governing body to exercise proper oversight and control over the entity’s cybersecurity program. The Amended Regulations:

Require a CISO to “timely report” to the board or senior governing body significant cybersecurity issues or material changes to the entity’s cybersecurity program.
Instruct the board or senior governing body to retain sufficient understanding of cybersecurity to enable effective oversight, provide proper direction of executive management and allocate sufficient resources to cybersecurity.
Require the board or senior governing body to regularly receive and review management reports and review written cybersecurity policies and procedures once a year.
Specify that annual compliance certifications will require co-certification by the highest-ranking executive officer and by the CISO or senior cybersecurity officer.

Additional Administrative Requirements

The Amended Regulations spell out additional requirements for entities to maintain robust vulnerability management procedures, privilege management, asset management, training and business continuity and disaster recovery. The regulations:

Require robust vulnerability management policies and procedures.
- All entities must now conduct annual penetration tests covering internal and external networks, conduct automated vulnerability scanning and address remediated vulnerabilities in a systematic and prioritized manner.
- The regulations delete the vague concept of “continuous monitoring” as an exception to the penetration testing and vulnerability assessment requirements.
Continue to strengthen identity access management, emphasizing policy of least privilege principles, codifying requirements to conduct privilege reviews, limiting and segregating the number of privileged accounts and disabling by default protocols and services not in use.
Obligate entities to implement robust asset management practices, which now explicitly require certain asset management information to be collected and routinely updated, such as owner, location, classification or sensitivity, support expiration date and recovery time objectives.
Direct covered entities to develop, implement and test a robust Business Continuity and Disaster Recovery Plan.
- The BCDR should include test scenarios covering the restoration of critical data and systems from backups.
- The Amended Regulations also require covered entities to maintain backups that are isolated from network connections. These requirements are consistent with the CSBS Nonbank Cybersecurity Exam Program, initially adopted in 2022.
Update incident response plans to cover ransomware events and threat hunting. Additionally, incident response procedures must cover root cause analysis, a summary of business impacts and remedial steps. This change is consistent with the previously issued NYDFS’ industry letter covering ransomware.
Require personnel training to cover social engineering.

Additional Technical Requirements

Alongside administrative requirements, the Amended Regulations expand the scope of technical controls that covered entities must implement as part of a cybersecurity program.

Unless a covered entity qualifies for an exemption, it must use multifactor authentication (MFA) for all access to its systems and third-party applications (i.e., cloud-based resources). Previously, MFA was only required for remote access situations.
Covered entities must also implement risk-based controls to protect against malware, including controls for monitoring and filtering web traffic and emails to block malicious content.

Class A Companies

The Amended Regulations also introduce a new category of companies that will be subject to heightened requirements: Class A Companies are NYDFS-regulated businesses that:

Grossed $20 million or more in annual revenue from operations in New York in each of the last two years—and either:
- Have over 2,000 employees (between the covered entity and affiliates) averaged over the last two years; or
- Have $1 billion in gross revenue (on a consolidated basis) in each of the last two fiscal years for all business operations, regardless of state or jurisdiction.

The regulations subject Class A Companies to additional requirements, including:

Conducting annual independent audits of its cybersecurity program, which can be performed by external or internal auditors.
Implementing privileged access management systems and automated methods to block commonly used passwords.
Implementing Endpoint Detection and Response solutions, such as SentinelOne, CrowdStrike or Cortex XDR, and a Security Information and Event Management system.

Timeline for Compliance

Covered entities will need to demonstrate compliance within 180 days of the Amended Regulations being published in the State Register, with the exception of the requirements listed below:

Effective Date	Requirement
*Immediately*	Revised exemptions
	Enforcement requirements
	Second amendment effective date
	Filing requirements
*December 1, 2023*	Notification obligations, including the 24-hour notification of extortion payment
*November 1, 2024*	CISO and senior governing body requirements
	Encryption requirements
	Incident response plan updated requirements and business continuity and disaster recovery plan requirement
	Exemptions based on employees and revenue
*May 1, 2025*	Conducting automated scans of information systems and manual review for what cannot be covered by the scans at a risk assessment-determined frequency or after any material event
	Implementing prescribed technical privilege limitations
	Implementing risk-based controls against malicious code
	Implementing an end-point detection solution and a solution with centralized logging and security event alerting
*November 1, 2025*	Expanded MFA requirements
*November 1, 2025*	Implementing written policies and procedures documenting asset inventory of the covered entity’s information systems

Other Considerations

The Amended Regulations increase the dollar and size thresholds for covered entities seeking partial exemption from the Amended Regulations. The changes also streamline rules that allow entities to provide annual certifications that include explanations of areas where the entity is not yet compliant, why compliance has not been achieved, and a plan and timeline to become compliant.

Consistent with recent enforcement actions, NYDFS considers whether a covered entity’s cybersecurity program aligns with the NIST Cybersecurity Framework, among other factors, in determining penalties for noncompliance.

Steps Covered Entities Should Consider Taking

Given extensive updates to cybersecurity requirements, including the FTC amendments on the Safeguards Rule, covered entities are encouraged to conduct a robust annual assessment of their information security programs. They also should determine how the Amended Regulations could impact existing licenses or license applications that are under review.

Covered entities should begin to:

Determine whether they fall under the definition of a “Class A Company” or under an exception.
Review incident response plans and procedures to align with expanded notification requirements.
Develop a ransomware playbook that includes policies governing extortion payments and the due diligence measures required under applicable OFAC sanctions rules and NYDFS notification obligations.
Examine their cybersecurity governance structure to make sure their CISO and senior governing bodies have the necessary capabilities and resources to develop and maintain the required cybersecurity program.

Over the next six months, we recommend institutions review policies, procedures and technical controls in order to ensure compliance within the prescribed timelines. Many of the standards now required by the Amended Safeguards Rule may require time to research, develop, test and implement automated solutions, including developing:

Automated asset and data discovery solutions.
Automated vulnerability scanning and patch management systems.
More robust governance, risk and compliance management solutions.
MFA solutions to cover all access.
Immutable backup solutions.

Authors

Amanda Lawrence Partner, Fintech, Financial & Fintech Advisory

Washington, D.C.

See my bio

D:+1 202 349 8089
E: [email protected]

Practice:

Fintech
Financial & Fintech Advisory
Strategic Advisory & Government Enforcement (SAGE)
Finance
Complex Litigation & Dispute Resolution
Internal Investigations
Class Action Defense

vCard

See full bio

Amanda Lawrence Partner

Washington, D.C.

She is a trusted adviser to and first call in high-stakes litigation and enforcement matters, including government investigations, regulatory examinations, class action and complex litigation, and internal investigations. Her matters include investigations, examinations, and enforcement actions before the CFPB, FTC, federal and state bank regulators and state attorneys general, including defending a leading bank in one of the CFPB’s first enforcement actions—a joint investigation and enforcement action with the FDIC.

Amanda also represents clients in bet the company litigation, including financial institutions and lenders in residential mortgage-backed securities (RMBS) matters, consumer class actions and other complex civil litigation matters.

Amanda is well versed in all aspects of her clients’ business and is known for providing thoughtful and practical advice. She leverages her experience with litigation and enforcement agencies to stay ahead of regulatory trends impacting the finance and fintech industries. Key among these is data monetization and regulators’ heightened focus on how data is collected, used, stored and transferred. Amanda’s practice started in the cyber and privacy spheres, and today she helps clients manage compliance with the Gramm-Leach-Bliley Act (GLBA) and Regulation P, the Safeguards Rule, the Fair Credit Reporting Act (FCRA), the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

Prior to joining Orrick, Amanda was a partner at Buckley LLP, where she was a member of the partner board. She also has an active pro bono practice.

Aravind Swaminathan Partner, Cyber, Privacy & Data Innovation, Class Action Defense

Seattle; Boston

See my bio

Practice:

Finance Sector
Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Class Action Defense
White Collar, Investigations, Securities Litigation & Compliance
Government Investigations and Enforcement Actions
Trials
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Aravind Swaminathan Partner

Seattle; Boston

A leading cybersecurity and online safety authority, Aravind is recognized by Chambers USA in Privacy and Data Security in both Litigation and Incident Response. Clients describe him as “a very talented lawyer experienced with incident responses” and “incredibly responsive and technically savvy.”

Aravind’s deep knowledge of his clients’ business objectives and technological capabilities distinguishes him as a strategic advisor and frontline crisis responder. He advises some of the world’s leading online platforms, public and private financial institutions, tech companies, higher education institutions, and critical infrastructure providers on cybersecurity, and their obligations to monitor and remove harmful or illegal content online and root out instances of child exploitation.

He is adept at guiding companies through cybersecurity incidents, having directed more than 500 data breach investigations, including enterprise-wide network intrusions to cyberattacks with national security implications. Aravind defends clients in an array of cybersecurity and privacy class actions and regulatory enforcement actions brought by the SEC, FTC, NY DFS and State AGs, and also represents individual C-level executives in criminal and civil regulatory enforcement matters.

As a former assistant United States attorney, he investigated and prosecuted a broad array of cybercrime, child exploitation cases, digital crimes, and white-collar crime cases. This first-hand knowledge of federal agencies allows him to navigate the system, partner with investigators and find creative solutions for clients.

Aravind is a member of Orrick’s Board of Directors, and he devotes much of his free time to advising independent schools on AI, online safety, and cybersecurity, and teaching and coaching.

Elizabeth McGinn Partner, Financial & Fintech Advisory, Strategic Advisory & Government Enforcement (SAGE)

Washington, D.C.; New York

See my bio

D:+1 202 349 7968
E: [email protected]

Practice:

Financial & Fintech Advisory
Strategic Advisory & Government Enforcement (SAGE)
Fintech

vCard

See full bio

Elizabeth McGinn Partner

Washington, D.C.; New York

In conjunction with this work, she develops policies and procedures, records retention schedules and training materials. A significant part of her practice involves addressing data security breaches, working proactively with clients to prevent such breaches from occurring, and advising clients in responding to regulatory inquiries, investigations and enforcement actions related to privacy, information security and cybersecurity issues. She also assists numerous professional sports teams comply with data privacy concerns, consumer financing laws and payment system issues.

Beth also represents financial institutions, corporations and individuals in a wide range of matters. She advises clients in investigations, examinations and litigation initiated by the Consumer Financial Protection Bureau (CFPB), the New York Department of Financial Services (NYDFS), the Department of Justice (DOJ), the Federal Trade Commission (FTC), state attorneys general and bank regulatory agencies. She has represented financial institutions in class action litigation concerning federal and state fair lending laws, mortgage fraud, unfair and deceptive trade practices statutes, consumer fraud statutes and consumer privacy laws. She has extensive experience counseling clients in response to federal and state subpoenas and handling all aspects of e-discovery.

Over the course of her career, Beth has represented clients in matters involving simultaneous criminal, civil administrative and congressional proceedings. She has defended clients in matters relating to money laundering compliance issues and investigations and litigation by the U.S. Attorney’s Office for the Southern District of New York (SDNY), the Manhattan District Attorney’s Office, the Department of Treasury, the Securities and Exchange Commission (SEC), and various congressional committees, including the U.S. Committee on Homeland Security and Government Affairs Permanent Subcommittee on Investigations, the U.S. House Financial Services Committee and the U.S. House Committee on Oversight and Government Reform.

Beth has published and spoken on a variety of topics, including privacy, cybersecurity, electronic discovery, vendor management and consumer financial services litigation. She authored the chapter on “Oversight of Compliance and Control Responsibilities” for Navigating the Digital Age – The Definitive Cybersecurity Guide for Directors and Officers. She has been recognized for her work in Cyber Law (Data Protection and Privacy) by Legal 500 since 2013, which describes her as “outstanding on privacy and e-discovery issues,” “able to advise both on the regulatory and litigation sides of problems,” an attorney who "exceeds expectations on response and turnaround times,” “has strong industry knowledge in data security and privacy, and is able to walk the fine line between operational efficiency and regulatory compliance' when developing IT policies.” It also described her as “top notch, incredibly responsive, thoughtful, and provides advice that is both practical and efficient.”

Prior to joining Orrick, Beth was a partner at Buckley LLP where she was Co-chair of the firm’s Privacy, Cyber Risk & Data Security practice and E-discovery Committee. Previously she was an associate at Skadden, Arps, Slate, Meagher & Flom. She clerked for Federal Magistrate Judge P. Trevor Sharp of the United States District Court for the Middle District of North Carolina after law school. Beth is a Certified Information Privacy Professional (CIPP/US).

View Beth's webcasts & speaking engagements, news mentions and publications.

James Chou Managing Associate, Financial & Fintech Advisory, Strategic Advisory & Government Enforcement (SAGE)

Washington, D.C.

See my bio

D:+1 202 349 8003
E: [email protected]

Practice:

Financial & Fintech Advisory
Strategic Advisory & Government Enforcement (SAGE)
Cyber, Privacy & Data Innovation
Fintech

vCard

See full bio

James Chou Managing Associate

Washington, D.C.

Prior to joining Orrick, James was an associate at Buckley LLP. Previously, he spent nearly 10 years as a Defense Analyst and a Senior Operations Research Analyst for the U.S. Army, where he focused on cybersecurity, defense policy, and program analysis. He also spent more than three years in the defense industrial base as an IT Project Manager and Policy Analyst.

James is a Certified Information Systems Security Professional (CISSP), a Certified Cloud Security Professional (CCSP), and a Certified Data Privacy Solutions Engineer (CDPSE). He is conversational in Mandarin.

Naomi Pen Associate, Cyber, Privacy & Data Innovation

New York

See my bio

D:+1 212 506 5000
E: [email protected]

Practice:

Cyber, Privacy & Data Innovation

vCard

See full bio

Naomi Pen Associate

New York

Naomi provides clients guidance on implementing global privacy programs and advises on the U.S. state privacy laws in California, Colorado, Connecticut, Utah, Virginia and other states. She assists clients in breach investigations and cybersecurity incident response, including advising on breach notification, regulatory investigations and managing cybersecurity policies and procedures.

Naomi draws on her experience in fixed income trading technology when advising on cybersecurity and compliance risks within business operations. During law school she externed at the Center for Reproductive Rights focusing on privacy in the context of international human rights.

Kathryn Ryan Partner, Financial & Fintech Advisory, Strategic Advisory & Government Enforcement (SAGE)

Washington, D.C.

See my bio

D:+1 202 349 8008
E: [email protected]

Practice:

Financial & Fintech Advisory
Strategic Advisory & Government Enforcement (SAGE)
Fintech

vCard

See full bio

Kathryn Ryan Partner

Washington, D.C.

She represents banks, first and second mortgage originators and servicers, reverse mortgage originators and servicers, fulfillment service providers, commercial lenders and servicers, bank holding companies, private equity firms, finance companies, debt collection companies, financial institutions and technology companies, payment processors, money transmitters and various related service providers.

Katy assists clients with matters before state regulatory agencies, the Consumer Financial Protection Bureau (CFPB), the Department of Justice (DOJ), the Department of Housing and Urban Development (HUD), federal banking agencies, Fannie Mae and Freddie Mac. She also provides strategic and tactical advice to help clients identify and secure the nationwide federal and state approvals necessary to achieve operational goals.

Prior to joining Orrick, Katy was a partner at Buckley LLP, where she was a member of the firm’s partner board.

Sherry-Maria Safchuk Partner, Financial & Fintech Advisory, Strategic Advisory & Government Enforcement (SAGE)

Santa Monica

See my bio

D:+1 310 424 3917
E: [email protected]

Practice:

Financial & Fintech Advisory
Strategic Advisory & Government Enforcement (SAGE)
Fintech
Cyber, Privacy & Data Innovation

vCard

See full bio

Sherry-Maria Safchuk Partner

Santa Monica

Sherry’s clients include banks, mortgage originators and servicers, mortgage brokers, commercial lenders, bank holding companies, private equity firms, investment advisors, investment managers, finance companies, fintechs, consumer reporting agencies, debt collection companies and related service providers.

She is a Certified Information Privacy Professional (CIPP/US), and was a member of the Mortgage Bankers Association’s 2016 class of Future Leaders and the California Mortgage Bankers Association’s 2014 class of Future Leaders.

Prior to joining Orrick, Sherry was a partner at Buckley LLP. She has been an associate in private practice. She also clerked for the Honorable Jeanette J. Clark in the Superior Court of the District of Columbia.

Sasha Leonhardt Partner, Financial & Fintech Advisory, Strategic Advisory & Government Enforcement (SAGE)

Washington, D.C.

See my bio

D:+1 202 349 7971
E: [email protected]

Practice:

Financial & Fintech Advisory
Strategic Advisory & Government Enforcement (SAGE)
Cyber, Privacy & Data Innovation
Fintech
Government Investigations and Enforcement Actions

vCard

See full bio

Sasha Leonhardt Partner

Washington, D.C.

Sasha also has substantial experience advising clients on the Servicemembers Civil Relief Act (SCRA), Military Lending Act (MLA), Consumer Financial Protection Act (CFPA), Truth in Lending Act (TILA), Real Estate Settlement Procedures Act (RESPA), Equal Credit Opportunity Act (ECOA), Fair Housing Act (FHA), and Fair Debt Collection Practices Act (FDCPA). He advises companies, non-profits and industry associations with consumer privacy issues arising from the Gramm-Leach-Bliley Act (GLBA) and Regulation P, the Fair Credit Reporting Act (FCRA) and its Affiliate Marketing Rule and state and federal laws that address data privacy and information security.

In addition to representing clients, Sasha has published numerous articles on various aspects of consumer financial services law and practice, including data privacy, class action litigation, white collar litigation, whistleblower lawsuits and recent trends in regulation and enforcement. He also maintains an active pro bono practice and serves as a member of the Legal Counsel for the Elderly’s Young Lawyers Alliance. A frequent speaker on a variety of legal topics, Sasha has taught at Duke University School of Law and American University Washington College of Law, and was previously a Professorial Lecturer in Law at the George Washington University Law School.

Prior to joining Orrick, Sasha was a partner at Buckley LLP. He also previously served as Deputy Press Secretary to Maryland Governor Martin O’Malley. He is accredited as a Privacy Law Specialist, a Fellow of Information Privacy, a Certified Information Privacy Manager (CIPM/US), and a Certified Information Privacy Professional (CIPP/US) by the International Association of Privacy Professionals.

Heather Egan Partner, Cyber, Privacy & Data Innovation, Global Compliance & Regulatory

Boston

See my bio

D:+1 617 880 1830
E: [email protected]

Practice:

Technology & Innovation Sector
Finance Sector
Energy & Infrastructure Sector
Cyber, Privacy & Data Innovation
Global Compliance & Regulatory
Government Investigations and Enforcement Actions
Technology & Innovation
Fintech
Responsible Business
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Heather Egan Partner

Boston

Heather partners with clients to reduce the risk of privacy and security incidents. In the event of an incident, she helps companies respond, successfully guiding them through investigation, remediation, notification and any ensuing government inquiries. She provides comprehensive crisis management support and companies rely on her to manage their response to catastrophes, investigations and government probes involving conduct by employees, contractors and third parties.

To help clients navigate complicated global regulatory compliance challenges, she leads comprehensive cybersecurity and privacy assessments worldwide, vets risks in corporate transactions, conducts internal investigations stemming from data incidents, and drafts and negotiates contracts concerning data-related vendors and arrangements. She regularly counsels businesses on how to mitigate risks associated with the collection, use, retention, disclosure, transfer and disposal of personal data. Outside of the U.S., she manages teams of talented counsel around the world to deliver seamless advice for clients that operate across many jurisdictional lines, developing comprehensive privacy and cybersecurity programs that address competing regulatory regimes.