Insights
Privacy & Security

Deadline Approaching: Covered Entities Must File Certifications of Compliance With Amended NYDFS Cyber Regulation by April 15

Upcoming deadline is the first time covered entities must certify their compliance with most of the amendments adopted in 2023
By   Michael T. Borgia and Alexander Sisto
04.09.25
Print this page

In November 2023, the New York Department of Financial Services (NYDFS) issued its second amendment to its "Cybersecurity Requirements for Financial Services Companies (the Cybersecurity Regulation or Part 500). This was the first significant modification to the Cybersecurity Regulation since it was issued in 2017 (the first amendment merely changed the date for filing annual certifications of compliance from February 15 to April 15). The new requirements (the Amendments), which were first proposed in 2022, have become effective in phases since November 2023. The text of the adopted amendments can be found here.

The Amendments significantly expanded the Cybersecurity Regulation to include additional reporting requirements for ransomware incidents and payment of ransoms that went into effect on November 1, 2023. Additional requirements went into effect on April 29 and November 1, 2024, with specific implementation deadlines varying by type of covered entity. Covered entities that qualify for the Cybersecurity Regulation's limited exemption for small businesses do not need to comply with some of the requirements introduced by the Amendment.

On April 15, 2025, covered entities must file attestations of compliance with most of the Amendments for the first time. Covered entities should carefully review the Amendments and assess their readiness to make this upcoming filing. Entities that cannot attest to their compliance with the Cybersecurity Regulation during the prior calendar year must file an Acknowledgment of Noncompliance accompanied by a remediation timeline or confirmation that the remediation has been completed. The Cybersecurity Regulation does not provide any enforcement safe harbor for entities that file an Acknowledgment of Noncompliance.

We recap the Amendments' new requirements that came into force in 2023 and 2024 that will need to be addressed in covered businesses' April 15 annual notices of compliance, as well as the requirements set to go into effect in 2025.

New Entity Classification and Obligations

The Amendments established a new category of covered entity—"Class A" companies. Class A companies are covered entities with over 2,000 employees or gross annual revenue averaging more than $1 billion over the last three fiscal years. The Amendments impose a number of compliance obligations specific to Class A companies, including requirements to:

  • Conduct annual independent audits of their cybersecurity programs; and
  • Monitor privileged account access activity and, unless otherwise approved by the CISO in writing, implement an access management solution for privileged accounts and an automated method of blocking commonly used passwords.

New Obligations for CISOs

The Amendments require that a covered entity's chief information security officer (CISO):

  • Provide timely reports to the covered entity's board of directors or other senior governing body on "material cybersecurity issues," which include updates to the covered entity's cyber risk assessment, major cybersecurity events, and significant changes to the entity's cybersecurity program;
  • Sign the business's annual certification of compliance; and
  • Annually review the feasibility of encryption and if encryption of nonpublic information at rest is infeasible, the effectiveness of alternative compensating controls.

These new obligations became effective in 2024 for covered entities, including Class A companies, and must be included in companies' April compliance certifications. Entities that qualify for the Cybersecurity Regulation's small business exemption are not required to comply with these requirements. These obligations were added to CISO's preexisting obligations to provide annual board reports on cybersecurity risk management and annually review in-house development practices.

New Threshold for 72-Hour Reporting Requirement

The Amendments expanded the types of events that must be reported under the Cybersecurity Regulation's 72-hour incident reporting deadline. Beginning in December 2023, all covered entities must notify NYDFS within 72 hours of determining that the covered entity, an affiliate, or a service provider has experienced a "cybersecurity incident," which is a newly defined term under the Amendments meaning a cybersecurity event that:

  • Impacts the covered entity and requires the covered entity to notify any government body, self-regulatory agency, or any other supervisory body;
  • Has a reasonable likelihood of materially harming any material part of the normal operations of the covered entity; or
  • Results in the deployment of ransomware within a material part of the covered entity's information systems.

There was no requirement for covered entities to notify NYDFS of incidents occurring at affiliates or service providers prior to the Amendments.

24-Hour Reporting Requirement for Cyber Extortion Payments

Under the amendments, covered entities must also provide NYDFS with notice of having made an "extortion payment" in connection with a cybersecurity event (such as in connection with a ransomware attack) within 24 hours of making that payment. Within 30 days of making the extortion payment, covered entities also must provide NYDFS a written description of:

  • The reasons the payment was necessary;
  • A description of alternatives to payment considered;
  • All diligence performed to find alternatives to payment; and
  • All diligence performed to ensure compliance with applicable rules and regulations, including those of the Office of Foreign Assets Control.

This requirement has been in force for all covered entities since December 2023. Previously, there was no requirement to notify NYDFS specifically of having made an extortion payment.

Stricter Board Oversight and Involvement in Cybersecurity Matters

The Amendments emphasize the role of a covered entity's board of directors or other senior governing body in cybersecurity oversight and now require that members of the board or other senior governing body:

  • Have sufficient understanding of cybersecurity-related matters to exercise oversight, which may include the use of advisors;
  • Require the covered entity's executive management to develop, implement, and maintain the covered entity's information security program;
  • Regularly receive and review management reports about cybersecurity matters; and
  • Confirm that the covered entity's management has allocated sufficient resources to implement and maintain an effective cybersecurity program.

These requirements came into force in November 2024 but do not apply to covered entities eligible for the small business exemption. Prior to the Amendments, the only requirements specific to members of the board or other senior governing body were to annually approve the covered entity's cybersecurity policies.

The Amendments also create a new requirement for a covered entity's CISO and CEO to sign the entity's annual certification of compliance with the Cybersecurity Regulation. Previously, covered entities were required to submit an annual compliance certification but there was no requirement that the certification be signed by the CISO or CEO.

Acknowledgments of Noncompliance

Beginning with the April 2024 certification, the Amendments have required that if any covered entity cannot certify to its compliance with the Cybersecurity Regulation, it must submit an Acknowledgment of Noncompliance that the covered entity did not fully comply with all the requirements of the Cybersecurity Regulation. That acknowledgment, which also must be signed by the CISO and CEO, must identify all provisions of the Cybersecurity Regulation that the covered entity did not meet, the nature and extent of such noncompliance, and provide a remediation timeline or confirmation that the remediation has been completed.

Additional Cybersecurity Controls

The Amendments also require covered entities to implement the following cybersecurity controls:

  • Business Continuity and Disaster Recovery (BCDR) Plan: All covered entities are required to develop BCDR plans, ensuring the availability and functionality of the covered entity's information systems and material services and protecting the covered entity's personnel, assets and nonpublic information in the event of a cybersecurity-related disruption to its normal business activities. The BCDR plan will need to include, among other things, procedures for backing up or copying operationally essential documents and data and storing such information offsite.
  • Training: All covered entities are required to provide training to all employees responsible for implementing the BCDR and incident response plans regarding their roles and responsibilities.
  • Testing: All covered entities are required to periodically test their incident response plan, their BCDR plan, and their ability to restore systems using back-ups. Prior to the Amendments, covered entities were required to maintain incident response plans, but the Amendments create new obligations regarding training and testing these plans.

These requirements came into force in November 2024 but do not apply to covered entities that qualify for the small business exemption.

Vulnerability Management

The Amendments added to existing penetration testing requirements, including a requirement that covered entities perform testing from both inside and outside the information systems' boundaries using a qualified internal or external team. Covered entities must timely remediate vulnerabilities, giving priority to vulnerabilities based on the risk they pose to the covered entity. These requirements came into force in April 2024 but do not apply to covered entities that qualify for the small business exemption.

The following obligations will come into force in May and November of 2025:

  • Automated Scans. All covered entities other than small businesses must conduct automated scans of information systems and conduct a manual review of systems not covered by such scans so covered entities are promptly informed of new security vulnerabilities.
  • Privileged Account Access. All covered entities must implement enhanced access privileges and review and remove access that is no longer necessary and promptly terminate access following personnel departures. Class A companies must also implement a privileged access management solution.
  • Remote Access. All covered entities must disable or securely configure all protocols that permit remote control of devices.
  • Password Policy. All covered entities must implement an industry-standard written password policy, and Class A companies must also implement an automated method of blocking commonly used passwords.
  • Multifactor Authentication. All covered entities will be required to implement multi-factor authentication for all individuals accessing information systems. The Cybersecurity Regulation previously only required covered entities to use multifactor authentication for external access to entities' internal systems. Under the Amendments, the CISO may approve the use of a reasonably equivalent or more secure compensating control other than multifactor authentication. Small businesses are only required to use multifactor authentication for remote access and privileged accounts. Class A companies and other covered entities must use multifactor authentication for any individual accessing the entity's information systems.
  • Malicious Code. All covered entities other than small businesses must implement controls to protect against malicious code, and Class A companies are required to implement, unless otherwise approved by the CISO in writing, an endpoint detection and a response solution to monitor anomalous activity.
  • Asset Management. All covered entities are required to document and maintain an asset inventory that tracks key information for each asset including, among other things, owner, location, and updates to the covered entity's asset inventory.

Violations and Penalties

The Amendments add new specificity regarding violations and assessment of penalties. They provide that violations of the act occur when a covered entity either: (1) fails to secure or prevent unauthorized access to an individual's or an entity's nonpublic information due to noncompliance with any section of the regulations; or (2) fails to comply for any 24-hour period with any section or subsection of the regulations.

The Amendments also enumerate factors NYDFS will consider when assessing penalties for violations, including:

  • The extent to which the covered entity cooperated with NYDFS in its investigation;
  • Good faith of the covered entity;
  • Whether the violations resulted from conduct that was unintentional or inadvertent, reckless, or intentional or deliberate;
  • Whether the violation was a result of the covered entity failing to remedy previous examination matters requiring attention, or failing to adhere to any disciplinary letter, letter of instructions, or similar;
  • Any history of prior violations;
  • Whether the violation involved is an isolated incident, whether the covered entity has committed repeat violations or systemic violations, or whether it has been involved in a pattern of violations;
  • Whether the covered entity provided false or misleading information;
  • The extent of harm to consumers;
  • Whether required, accurate, and timely disclosures were made to affected consumers;
  • The gravity of the violations;
  • The number of violations and the length of time over which they occurred;
  • The extent, if any, to which the senior governing body participated in committing the violations;
  • Any penalty or sanction imposed by any other regulatory agency;
  • The financial resources, net worth, and annual business volume of the covered entity and its affiliates; and
  • Other matters required by justice and the public interest.

Looking Ahead

Covered entities should review their cybersecurity programs to determine their readiness to submit their certifications of compliance this April. Particular attention should be paid to a covered entity's compliance with the new requirements introduced by the Amendments, as this April's filing will be the first that applies to most of those new requirements. Moreover, covered entities should review the final requirements that are coming into force in 2025 and establish procedures and practices to ensure timely compliance.

DWT's privacy and security team routinely advises institutions on compliance with the NYDFS Cybersecurity Regulations and will continue to monitor developments relating to these proposed amendments.

Related Insights

04.15.25
Insights
DOJ Issues Guidance on Foreign Data Access Rule, Announces Conditional 90-Day Enforcement Pause for "Good Faith Efforts" Read More
03.20.25
Insights
Regulatory Reset? U.S. Cyber Incident Reporting Rules Face Congressional Scrutiny Read More
03.07.25
Insights
PCI SSC Clarifies Obligations for Ecommerce Merchants That Outsource Payment Card Processing Read More