New York Cybersecurity Obligations Expand

On Nov. 1, 2023, New York state’s Department of Financial Services (NYDFS) published final rulemaking amendments to its Part 500 cybersecurity rules.

The 2023 amendments made a series of material changes to the obligations the regulations impose on “covered entities” (essentially all firms licensed by the NYDFS) to maintain a cybersecurity program designed to protect the confidentiality, integrity, and availability of their information systems and non-public information stored on those systems.

If this seems like old news, think again, because some of the more significant changes must be implemented this year.

May 1, 2025, Effective Date

• Section 500.5(a)(2): Scanning Requirements. Each covered entity must conduct automated vulnerability scans of information systems and a manual review of systems not covered by those scans.
• Section 500.7: Access Privilege and Password Requirements. Each covered entity must implement a written password policy that meets industry standards. Each Class A company—a new designation we’ll discuss in detail later—must monitor privileged user access activity and implement a privileged access management solution and an automated method of blocking commonly used passwords. This section also sets forth additional requirements pertaining to limiting user access privileges.
• Section 500.14(a)(2): Requirements for Protection Against Malicious Code. Each covered entity must implement riskbased controls designed to protect against malicious code.
• Section 500.14(b): Endpoint Decision and Response Solution. Each Class A company must implement an endpoint decision and response solution to monitor anomalous activity and a solution that centralizes logging and security event alerting.

Nov. 1, 2025, Effective Date

• Section 500.12: Multifactor Authentication Requirements. Multifactor authentication is required for any individual accessing any information systems of a covered entity, unless that entity qualifies for a limited exemption. If the covered entity has a chief information security officer (CISO), that individual may approve in writing the use of reasonably equivalent or more secure compensating controls.
• Section 500.13(a): Asset Inventory Requirements. Each covered entity must implement written policies and procedures designed to produce and maintain a complete, accurate, and documented asset inventory of its information systems.

The 2023 amendments also made two critical changes to the definition of “covered entities.” First, they redefined the universe of small covered entities that are exempt from some—but not all—of the Section 500 cybersecurity compliance requirements. Those small entities, for example, are not required to have a CISO; test their cybersecurity program’s penetration and vulnerability; maintain an audit trail of all cybersecurity activity; or monitor user access. Prior to the adoption of the 2023 amendments, this exemption was limited to those entities that, with their affiliates, had:

1. Fewer than 10 employees, including independent contractors, located in New York; or

2. Less than $5 million in gross annual revenue in each of the last three fiscal years from New York business operations; or

3. Less than $10 million in total year-end assets.

A small company that qualifies for the limited exemptions as a covered entity now has:

1. With its affiliates, fewer than 20 employees and independent contractors regardless of location; or

2. Less than $7.5 million in gross annual revenue in each of the last three fiscal years from all business operations of the covered entity itself and the New York business operations of the covered entity’s affiliates; or

3. Less than $15 million in year-end total assets of both the covered entity and its affiliates.

In a subsequently issued FAQ, NYDFS explained that “[w]hen calculating gross annual revenue for purposes of determining whether a Covered Entity qualifies for [the small company] exemption” under the second option, “the Covered Entity must include (1) the gross annual revenue from all of its business operations regardless of whether such operations are located in New York or anywhere else in the world and (2) the gross annual revenue from the New York business operations of their Affiliates.” The department noted that this exemption “is, and always has been, meant for small businesses, not for small branches or affiliates of large companies.”

That said, a firm with less than $7.5 million in New York domiciled business could theoretically still license only a single subsidiary in the state through which it could run all of that business to qualify for the reduced suite of small firm compliance obligations without running afoul of the applicable rules.

In the second key change, the 2023 amendments created a new category of entities subject to more extensive compliance requirements called “Class A companies.” Class A companies are defined as covered entities with at least $20 million in gross annual revenue in each of the last two fiscal years from all business operations of the covered entity itself and the New York business operations of its affiliates, and having either:

1. Over 2,000 employees averaged over the last two fiscal years (including the employees of both the covered entity and its affiliates regardless of location); or

2. Over $1 billion in gross annual revenue in each of the last two fiscal years from operations of the covered entity and all of its affiliates regardless of where such revenue was sourced.

In addition to the access privilege and endpoint detection obligations placed on Class A companies as of this year, they are also subject to a new obligation that requires these businesses to design and conduct independent audits of their cybersecurity program based on their risk assessment.

The regulatory expansion of compliance obligations on information systems continues, seemingly without end.