On November 1, 2023, the New York Department of Financial Services (“NYDFS”) amended its Cybersecurity Regulation, 23 NYCRR Part 500, which was enacted in 2017 to establish cybersecurity requirements for financial services companies. The amendments were designed to take effect in phases, with changes to reporting requirements taking effect within 30 days of the amended regulation’s publication, or by December 1, 2023, and compliance with remaining requirements expected within 180 days, one year, 18 months, or two years from the date of adoption. In 2023, Willkie’s cybersecurity team published a client alert that summarized the amended regulation’s new requirements and compliance deadlines, which is located here.
On May 1, 2025, 18 months after the amended regulation was adopted, covered entities will be expected to comply with an additional set of new requirements, including those in Section 500.7 that addresses how companies control who can access their computer systems and nonpublic information. By April 29, 2024 (180 days after adoption) companies were required to limit access to confidential customer and business information to those who need it to perform their jobs. On May 1, 2025, companies will be additionally required to impose limits with respect to privileged accounts – a requirement that extends to Class A companies. On May 1, 2025, companies will also be expected to only allow secure connections where devices can be remotely controlled, have procedures to promptly terminate access when employees leave, and have a written password policy that meets industry standards. Starting on May 1, 2025, companies will also be required to manage network vulnerabilities by performing automated scans of their information systems (and a manual review of systems not covered by automated scans) at a frequency determined by their risk assessments.
NYDFS – Cybersecurity Resource Center Guidance | NYDFS Cybersecurity Regulation – Second Amendment