No Match Found
Revisions to the New York State Department of Financial Services (NYSDFS) Part 500 cybersecurity regulation are now final — just in time for 2024 budgets. First proposed in July 2022, the draft underwent several iterations since, notably in November 2022 and June 2023. While some of the more prescriptive elements of the proposed rule have given way to a more flexible, risk-based approach, most of the rule’s revisions remain intact. The final rule retains enhanced requirements for governance, risk assessments, password and data management, as well as the net-new requirements for asset inventory, business continuity and disaster recovery (BCDR), and independent audits.
With this revision, NYSDFS is emphasizing compliance and governance from several angles — from the top down, by requiring CEO and CISO signoff based on data and documentation and a required role for the board; from the bottom up, by setting minimum required frequency for control execution and requiring documentation; and from the side, by injecting the independent audit requirement as an independent check on the program.
As of December 1, 2023, not only must the highest ranking executive (usually, and hereafter, the CEO) now sign off on compliance with the regulation, but this certification must now be based on data and documentation sufficient to accurately determine and demonstrate material compliance (described further below), including any reliance on third parties and affiliates to meet the requirements. Because this change takes effect on December 1, 2023, it will be in place in time to lift the bar for this year’s certification, due for submission by April 15, 2024. Where some firms may have relied on control owner attestation, evidence of control execution would now be expected. If a firm can’t certify its material compliance, it must file a written statement and include timelines for remediation to obtain material compliance.
All revisions to notice requirements, including certification and cybersecurity event reporting (500.17 Notices to the Superintendent), now take effect on December 1, 2023.
Throughout the regulation, the NYSDFS specifies that firms must conduct certain activities at least annually and introduces the requirement that they review and approve compensating controls in writing. The new incident-response and BCDR requirements specify annual testing, and the risk assessment must be executed at least annually with the policies and procedures it drives reviewed and approved at least annually as well. While an annual or more frequent cadence of control execution and program validation is implied by the current annual certification requirement, the NYSDFS is making its views explicit: Certify compensating controls at least annually and back it up with documentation.
The data-and-documentation basis for certification indicates that the regulator has seen shortcomings in firms’ approaches to evidencing compliance. Indeed, many enforcement actions under Part 500 have cited shortcomings in compliance certification (500.17(b) Violations). Requiring CEO certification or, in lieu of that, a written acknowledgement of noncompliance, raises the bar — the CISO may have no qualms signing off on the program based on direct knowledge, but proving the program is compliant to a non-cyber executive may be more difficult. It’s a challenge that firms may need to overcome by year-end. For 2024 and beyond, that same challenge will extend over program elements that aren’t typically under the CISO’s purview, such as technology (patching and asset inventory) and resiliency (BCDR planning, testing and backups).
The final rule requires Class A companies (large companies, as defined further below, facing the most stringent requirements) to execute independent audits based on their risk assessment, rather than on an annual basis. While the annual requirement is no longer stated, the audit is now linked to the risk assessment, which the revision now requires to be refreshed at least annually.
Independent audit requirement starts April 29, 2024, for large companies. Class A companies must conduct an independent audit of their cybersecurity program meeting NYSDFS rule 500 requirements based on their risk assessment. In the discussion of public comments, the regulator acknowledged that many companies typically conduct multiple independent audits annually of their cybersecurity program capabilities (e.g., incident response, multi-factor authentication (MFA)) based on the risk level each year, and aligned this requirement with the regulation’s overall flexible, risk-based approach. We expect these audits to play two roles, therefore — meeting the new requirements but also informing and supporting the certification process, by supplying an independent, evidence-based view of the cyber program.
With the risk assessment now required at least annually, covered entities should use the assessment to inform their audit plan by focusing not only on traditional cybersecurity capabilities but also technology operations (such as net-new requirements for asset inventory) and operational resilience (such as net-new BCDR planning and testing).
The final amendments cement stricter requirements for a new category of “Class A companies,” defined as firms $20 million in New York revenue and either 2,000 employees or an average of $1b in gross annual revenues over the past three years. Both definitions include “affiliates,” or firms with common ownership that share information systems, cyber resources or any part of a cybersecurity program with the NYDFS-supervised institutions. This significantly expands the universe of companies deemed Class A. In addition to the independent audit, Class A companies will have to implement:
While most of the substantive changes won’t become effective for 180 days, or by April 29, 2024, the timing raises the bar on compliance evidence almost immediately. The longer transition periods reflect an acknowledgement that the revision’s core requirements may pose significant challenges to firms.
The newly effective version requires the ability to certify for “material” compliance. The regulator has left it up to each covered entity to define and establish criteria for material compliance, previously noting that materiality will vary for each covered entity and will depend on their specific circumstances. Material compliance is also referenced within 500.20(b) in communicating criteria for citing violations that can lead to fines and other penalties.
The waiting is over. Now’s the time to take action.
Recent changes have elevated additional leading practices to mandatory status. Using these amendments as a guiding framework to enhance your cybersecurity initiatives can help not only to prepare for regulatory scrutiny but also to safeguard your clients, your organization and its reputation.
While required adoption of some changes can occur up to two years from November 1, 2023, organizations need to act now to enable alignment with the changes that must be adopted before year-end 2023.
Cyber, Risk and Regulatory Marketing Lead Partner, PwC US
Cyber & Privacy Innovation Institute Leader, PwC US
Global Senior Regulatory Advisor, PwC US
Managing Director, PwC US