Recently, the New York State Department of Financial Services (NYSDFS) amended the annual notification requirements under the Cybersecurity Regulation, also known as “Part 500.” Covered entities under this regulation include organizations that require authorization from the NYSDFS in order to operate, such as private and commercial banks, mortgage brokers, health insurers, life insurers, etc. These entities now have two options when deciding what to submit for their annual compliance notification every year on April 15: a Certification of Material Compliance or an Acknowledgment of Noncompliance. This article will supplement our September 29, 2016 article, as well as discuss the most recent amendments to Part 500.
The Cybersecurity Regulations aka “Part 500”
Cyberattacks have become more prevalent and sophisticated due to the advances made in technology. Not only are covered entities utilizing these advances, but so are cybercriminals with malicious intentions. With day-to-day operations being conducted online now more than ever, it is important for covered entities to have a strong cybersecurity program to prevent phishing scams, malware attacks, hackers, and cybercriminals from obtaining confidential information about the entity and its customers.
Entities regulated by Part 500 are expected to maintain a cybersecurity program to protect confidential information that is stored within information systems. The program should assess any cybersecurity risks – both internally and externally, respond to such threats, employ defensive infrastructure to protect confidential information, and fulfill reporting requirements.
Under Part 500, a covered entity is considered any individual or organization that operates under a license, registration, certificate, permit, “or similar authorization under the Banking Law, Insurance Law or the Financial Services Law, regardless of whether the covered entity is also regulated by other government agencies.” A cybersecurity incident is defined as any event that impacts the covered entity and requires it to “notify any government body, self-regulatory agency, or any other supervisory body;” is reasonably likely to materially harm a material part of the covered entity’s normal operations; or results in the use of “ransomware within a material part of the covered entity’s information systems.”
Under an amendment to Part 500 that went into effect on November 1, 2023, the law requires covered entities to notify the NYSDFS of a cybersecurity incident no later than 72 hours after determining the incident has occurred. If the Superintendent of the NYSDFS makes a request for information regarding the incident, covered entities must provide the information. Covered entities have an ongoing obligation to update the Superintendent on any material changes or new information that was not previously available before. The NYSDFS also recommends that cybersecurity events be reported. A cybersecurity event is an act or an attempt to gain unauthorized access to an information system in order to disrupt or misuse that stored information. This attempt could be unsuccessful, but the NYSDFS still encourages covered entities to report these failed attacks because they are sufficiently serious to raise concerns.
Latest Amendment Regarding Annual Notification
Beginning in 2024, covered entities now have the choice to submit their annual notifications as either a written Certification of Material Compliance (Certificate) or a written Acknowledgment of Noncompliance (Acknowlegment). These notices must be submitted to the Superintendent by April 15 every year. A Certificate should certify that the covered entity materially complied with all requirements set forth in Part 500. The Certification must be based on sufficient data and documentation that can accurately demonstrate material compliance.
According to the NYSDFS’s FAQ, this supporting documentation does not have to be submitted with the Certification. However, the NYSDFS recommends that covered entities maintain records, schedules, and data that support their annual notification for five years. The information kept should include, but is not limited to, the “identification of all areas, systems, and processes that” required material improvement, updating or redesigning, any remedial efforts, and a remedial timeline to be implemented.
An Acknowledgement should state that the covered entity did not comply with all requirements of Part 500, identify which parts the entity has not materially complied with by describing the nature and extent of the noncompliance, and provide a remedial timeline or confirmation that remediation has already been established.
Part 500.17(b)(2) also requires the annual notifications be signed by the covered entity’s highest-ranking executive and its Chief Information Security Officer (CISO). If the entity does not have a CISO, then the Senior Officer responsible for the cybersecurity program may sign the notification.
Takeaway
Cybersecurity is a rapidly changing world with online threats becoming more sophisticated, thus requiring an up-to-date and adaptable cybersecurity program to avoid compromising confidential information and the expensive remedial costs of recovering from cyberattacks. Part 500 allows covered entities to assess their cybersecurity program and determine what changes can be implemented to better protect their confidential information and customers.