On November 1, 2023, New York’s Department of Financial Services (DFS) formally adopted amendments to Cybersecurity Regulation, 23 NYCRR Part 500 (“Amended Cybersecurity Regulation”). Among the numerous requirements and changes enacted, the Amended Cybersecurity Regulation also imposes new notification requirements for covered entities operating under DFS licensure.
To start, the Amended Cybersecurity Regulation has now adopted the term “Cybersecurity Incident” to align with the term’s usage in other laws and regulations, which is now defined as follows:
(g) Cybersecurity incident means a cybersecurity event that has occurred at the covered entity, its affiliates, or a third-party service provider that:
(1) impacts the covered entity and requires the covered entity to notify any government body, self-regulatory agency or any other supervisory body;
(2) has a reasonable likelihood of materially harming any material part of the normal operation(s) of the covered entity; or
(3) results in the deployment of ransomware within a material part of the covered entity’s information systems.
N.Y. Comp. Codes R. & Regs. tit. 23, 500.1(g).
Notably, the Amended Cybersecurity Regulation clarifies the notification requirements to overtly require notification to DFS for incidents that occur at affiliates and third-party service providers, with a continued obligation to update DFS with “material changes or new information previously unavailable.” As reflected in the provided definition, DFS provides guidance for when notification is required.
While the 72-hour reporting requirement still stands, DFS has clarified that it is only triggered once the covered entity has knowledge of the reportable event and makes its determination that reporting is required, which is shown by the addition of “after determining” language in the notification requirement. The pertinent section is provided below:
Each covered entity shall notify the superintendent electronically in the form set forth on the department's website as promptly as possible but in no event later than 72 hours after determining that a cybersecurity incident has occurred at the covered entity, its affiliates, or a third-party service provider.
N.Y. Comp. Codes R. & Regs. tit. 23, § 500.17 (a)(1) (emphasis added).
Ransomware
When it comes to ransomware, the Amended Cybersecurity Regulation now explicitly requires reporting of ransomware events regardless of the impact it has on the covered entity’s operations. According to DFS, the deployment of ransomware itself is sufficient to create a reportable obligation.
In addition to requiring notification of ransomware deployment incidents, the Amended Cybersecurity Regulation is also requiring notification for extortion payments. Specifically, within 24 hours of the extortion payment, covered entities must provide DFS with notice of the payment. In addition, the covered entity must provide the following within 30 days of the extortion payment:
(1) Written description of the reasons payment was necessary;
(2) Description of alternatives to payment considered;
(3) All diligence performed to find alternatives to payment; and
(4) All diligence performed to ensure compliance with applicable rules and regulations including those of the Office of Foreign Assets Control.
Key Takeaways and Next Steps
These new reporting requirements also come with obligations to develop incident response plans and for covered entities to test their incident responses on an annual basis (at minimum). Covered entities should be advised that changes to cybersecurity incident reporting requirements take effect on December 1, 2023.
Accordingly, covered entities should reassess their privacy programs to align their policies and procedures in compliance with the Amended Cybersecurity Regulation. In particular, covered entities should prepare to report incidents as outlined in the regulation.
Octillo specializes in helping businesses with their incident response, which is an increasingly complex landscape as companies must now be prepared for cyberattacks that occur at affiliates, business partners, and other third-parties. Octillo can help manage those business relationships while advising on compliance with applicable regulations and laws. Our team also helps organizations of all sizes and across industries develop and test incident response plans tailored to their unique business needs.
*Attorney advertising: prior results do not guarantee future outcomes.