New York Introduces New and Amended Cybersecurity Regulations

Second amendment to Part 500 adds requirements and enforcement capabilities

Falling under the authority of the New York Department of Financial Services (DFS), Part 500 applies to companies offering financial services. The regulation was already amended once in April 2020 to change the date of the required annual certification filing. The second amendment, which was published in its finalized form on November 1, 2023, differs by making numerous changes that will create greater compliance obligations among DFS-regulated entities.

Some of the changes found in the second amendment to Part 500 include:

• Creating a category of “Class A Companies” for larger entities, with special requirements for independent audits, monitoring of privileged access and implementation of endpoint security solutions
• Requiring more regular risk and vulnerability assessments
• Updating incident notification requirements, including a new requirement to report ransomware payments
• Adding language clarifying what constitutes a violation of Part 500 in order to strengthen enforcement capabilities

Governor Hochul issued the following statement regarding the new amendment:

“New York has always led the way in protecting businesses and consumers from online threats, and with these amendments to our nation-leading cybersecurity regulations, we are continuing to set the national standard.

On the heels of launching the State’s first-ever cybersecurity strategy, boosting state law enforcement's cyber capabilities, and signing landmark legislation to protect our energy grid from cyberattacks, my administration is doubling down on our commitment to ensuring that financial institutions have the safeguards in place to protect vital customer data and maintain the integrity of our financial system.”

Financial companies operating in New York are encouraged to review the new requirements under the second amendment of Part 500 and expand their cybersecurity compliance programs as necessary. The New York DFS has issued the following guidance documents with implementation timelines:

• Small Businesses
• Class A Companies
• Covered Entities

Proposed cybersecurity regulations would cover New York hospitals

Governor Hochul’s office also announced proposed cybersecurity regulations governing the healthcare industry on November 16. “Under the proposed provisions,” reads the announcement, “hospitals will be required to establish a cybersecurity program and take proven steps to assess internal and external cybersecurity risks, use defensive techniques and infrastructure, implement measures to protect their information systems from unauthorized access or other malicious acts, and take actions to prevent cybersecurity events before they happen.” These measures are described as complementary to the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.

The proposed cybersecurity regulations, published in the New York State Register on December 6, would make New York the first state to impose cybersecurity requirements applying to all hospitals. The regulations are expected to be finalized following a 60-day public comment period ending February 5, 2024.

Expect more cybersecurity regulations in the future

This recent flurry of regulatory activity may herald future developments in the rest of the country, as other states look to the example set by New York. Stay tuned for ongoing regulatory coverage as governments at both the state and federal levels in the United States seek to counter the evolving risks to personal privacy and the economy posed by cyber threats.

Interested in taking the pain out of your data security compliance activities? Take advantage of the industry’s largest pre-defined policy library with Forcepoint DLP.