NYDFS cybersecurity regulations to take effect on November 1

Several amendments from NYDFS’s cybersecurity regulations on financial services will go into effect on November 1. As previously covered by InfoBytes, in June 2023, NYDFS published an updated amendment to 23 NYCRR 500 imposing cybersecurity regulations. These new rules mandate multi-factor authentication for all individuals accessing information systems, including remote access to third-party applications and privileged accounts, unless the entity qualifies for a limited exemption. Additionally, annual cybersecurity training must now cover social engineering tactics, such as phishing and AI-enhanced techniques like deepfakes.

The amendments also require a covered entity’s chief information security officer to provide an annual written report to the senior governing body, detailing plans for remediating material inadequacies and reporting on significant cybersecurity events and changes to the cybersecurity program. The senior governing body must oversee cybersecurity risk management, ensure that executive management develops and maintains the cybersecurity program, and confirm that sufficient resources are allocated. Furthermore, the regulations provide that covered entities must have written information security procedures addressing encryption, with compensating controls for nonpublic information at rest approved by the CISO. Incident response plans must now include specific goals, internal processes, recovery from backups, root cause analysis, and plan updates. Business continuity and disaster recovery plans must identify essential documents, data, and personnel and include procedures for timely recovery and offsite storage of critical information.  

Additional amendments to the NYDFS’s cybersecurity requirements will go into effect next year, including both the data retention requirements, and the access management and data retention requirements (Section 500.13), starting November 1, 2025.