In brief

Financial institutions, financial services providers and companies otherwise subject to the Banking, Financial Services and Insurance laws of New York State should note that on November 1, 2024, the amendments to the New York Department of Financial Services’ (“NYDFS’“) cybersecurity regulations took effect. “Covered entities” under the amendments still include any licensed financial institution company operating in New York regardless of whether it is already regulated by other government agencies. Additionally, the amendments require the regulated entities to significantly increase their proactive and reactive breach readiness.

In depth

The NYDFS supervises and regulates the activities of more than 3,000 financial institutions with assets totaling more than $9.7 trillion as of Dec. 31, 2023. The Department regulated more than 1,900 insurance companies with assets of more than $6.4 trillion and more than 1,300 banking and other financial institutions with assets totaling more than $3.3 trillion. The financial services sector is an important part of the nation’s critical infrastructure and  a target for cyber-attacks.

To protect businesses and consumers alike, NYDFS was the first state regulator to enact detailed cybersecurity regulations in 2017. NYDFS’ cybersecurity regulations impose proscriptive technical and administrative standards and controls to secure sensitive data. This approach requires businesses to holistically integrate cybersecurity into business planning, decision-making, and ongoing risk management.

NYDFS regularly updates its cybersecurity regulations as threats evolve. Last November 2023, NYDFS amended its cybersecurity regulations to mandate cyber governance. Effective November 1, 2023, NYDFS revised its cybersecurity requirements again:

  • Exemptions: Companies that have fewer than twenty employees with less than $7,500,000 in gross annual revenue in each of the last three fiscal years or less than $15,000,000 in year-end total assets are now exempted. This is an increased threshold exemption as previously, only companies that had 10 or fewer employees, less than $5,000,000 in gross annual revenue or less than $10,000,000 in year-end total assets were exempted.
  • Increased Responsibility: Companies’ senior governing body must now have sufficient understanding of cybersecurity-related matters to effectively oversee cybersecurity-related manners. Additionally, the senior governing body must also oversee the implementation of an effective cybersecurity program and ensure management has allocated enough resources to the company’s cybersecurity program. The company’s Chief Information Security Officer (“CISO“) is also required to now make timely reports of material cybersecurity issues to the senior governing body and provide plans for remediating material inadequacies in its annual CISO report.
  • Proactive Plans: The new amendments still require companies to establish and implement an incident response plan. However, now, companies must make their incident response plan proactive instead of just reactive. Proactive measurers include addressing: 1) preparation of root cause analysis describing how and why the event occurred, what business impact it had, and what will be done to prevent reoccurrence; and 2) updating the incident response plans as necessary. Additionally, companies must have a business continuity and disaster recovery plan.
  • Encryption: Previously, the CISO could approve alternate compensating controls for both data at rest and data in transit. The new amendments now require data in transit needs to be encrypted.
Key Takeaways

Federal and state financial regulators have consistently modeled their regulations after the NYDFS’ cybersecurity regulations. We continue to track the global mandates for companies’ to implement proactive and reactive cybersecurity measures.

Companies, especially those in critical infrastructure such as financial entities, are encouraged to review their cybersecurity and data governance programs to ensure that: 1) its policies and procedures are both proactive and reactive; 2) all plans are customized to the company’s needs and specific compliance requirements; and 3) customized trainings and education for all stakeholders, including senior leadership, is offered to help identify and mitigate cyber risk.

If you have any questions regarding strengthening or tailoring your company’s cybersecurity and data governance program, please contact your Baker McKenzie attorney or the authors below.

Author

Justine focuses her practice on both proactive and reactive cybersecurity and data privacy services, representing clients in matters related to information governance, diligence in acquisitions and investments, incident preparedness and response, the California Consumer Privacy Act, privacy litigation, and cyber litigation.

Author

Elizabeth Roper is a partner in Baker McKenzie's North America Litigation and Global Dispute Resolution Practice. She is based in the New York office. Prior to joining the firm, Liz served in the Manhattan District Attorney's Office as Bureau Chief of the Cybercrime and Identity Theft Bureau (CITB). In this role, Liz directed the investigation and prosecution of all types of cybercrime impacting Manhattan, including sophisticated cyber-enabled financial crime such as identity theft, payment card fraud, and money laundering; network intrusions, hacking, ransomware, and "middleman" attacks; intellectual property theft; "dark web" trafficking of contraband; and the theft and illicit use of cryptocurrencies.

Author

Mercedes is an associate in Baker McKenzie's IP & Technology Practice Group based in Chicago.