Financial institutions, insurance companies, and other businesses regulated by the New York Department of Financial Services (NYDFS) may need to take additional steps to comply with certain NYDFS cybersecurity regulations scheduled to take effect on November 1, 2024.

Quick Hits

• Certain requirements of the amended NYDFS cybersecurity regulations will take effect on November 1, 2024.
• Covered entities may need to update their policies and procedures, including with respect to corporate governance, encryption, incident response and business continuity plans, system testing, and employee training.

On March 1, 2017, the NYDFS enacted comprehensive cybersecurity regulations for financial services companies and other covered entities. The cybersecurity regulations were most recently amended on November 1, 2023, with a series of rolling effective dates beginning on December 1, 2023. Several provisions of the amended cybersecurity regulations will take effect on November 1, 2024, with others coming into effect in 2025.

Covered Entities

The cybersecurity regulations apply to covered entities regulated by the NYDFS, which includes financial institutions, insurance companies, insurance agents and brokers, banks, trusts, mortgage banks, mortgage brokers and lenders, money transmitters, check cashers, and other companies. Under the amended cybersecurity regulations, certain large companies (Class A companies) have additional requirements, while certain small businesses are exempt from specific regulations.

Regulations Effective on November 1, 2024

Nonexempt covered entities, including Class A companies, may want to implement certain policies and procedures by November 1, 2024. Among other things, a nonexempt covered entity may want to consider the following steps:

• Updating its corporate governance, including by having the chief information security officer (CISO) timely report to the senior governing body or senior officer(s) on material cybersecurity issues, such as significant cybersecurity events and significant changes to the covered entity’s cybersecurity program.
• Ensuring the senior governing body exercises oversight of cybersecurity risk management, including by having sufficient understanding of cybersecurity-related matters to exercise such oversight, and regularly receiving and reviewing management reports about cybersecurity matters.
• Implementing a written policy requiring encryption that meets industry standards to protect nonpublic information. A covered entity may use effective alternative compensating controls for information at rest if approved by the CISO in writing.
• Updating its incident response plan to include, among other procedures, the internal process for responding to a cybersecurity event, recovery from backups, and preparation of a root cause analysis after an event.
• Implementing a business continuity and disaster recovery plan that meets specified requirements and maintains backups necessary to restore material operations.
• Training employees responsible for implementing the incident response and disaster recovery plans regarding their roles and responsibilities.
• Testing the incident response plan, disaster recovery plan, and backup systems at least annually.

Covered entities may also want to review the amended cybersecurity regulations to determine whether they qualify for an exemption, as well as for a complete list of applicable cybersecurity requirements, including those requirements effective as of November 1, 2024.

Next Steps

Companies regulated by the NYDFS may wish to review their cybersecurity policies, practices, and training to ensure compliance with the amended cybersecurity regulations by November 1, 2024. Additional requirements will take effect on May 1, 2025, and November 1, 2025.