Proposed Second Amendment to 23 NYCRR Part 500
**Attorney Advertising**

The Department of Financial Services released their Proposed Second Amendment to the Cybersecurity Regulation, 23 NYCRR Part 500. This amendment requires Class A Companies to implement additional cybersecurity controls, such as independent audits or their cybersecurity programs at least annually, monitoring privileged access activity, and using external experts to conduct a risk assessment at least once every three years.

Additionally, the Proposed Second Amendment states a Class A Company is a covered entity within the meaning of the statute. Further, Class A Companies are a covered entity with at least $20 million in gross annual revenue in each of the last two fiscal years from the business operations of the covered entity and (1) has over 2,000 employees averaged over the last two fiscal years, or (2) over $1 million in gross annual revenue in each of the last two fiscal years from all business operations of the covered entity and its affiliates.

The most significant proposed changes under the Second Amendment include:

• Section 500.3: covered entities are required to implement and maintain a written policy, approved at least annually, by the senior governing body of the covered entity that must be development, documentation, and implementation in accordance with the entity’s written policies.
• Chief Information Security Officer Section 500.4: covered entities are required to designate a qualified individual as Chief Information Security Officer (“CISO”) to ensure cybersecurity risks are appropriately managed. The CISO should report at least annually to the senior governing body or senior officer responsible for the entity’s cybersecurity program.
• Vulnerability and Penetration Testing Requirements Section 500.5: covered entities are required to develop and implement written policies and procedures for vulnerability management. These policies ensure entities conduct penetration testing from both inside and outside the information system’s boundaries by a qualified internal or external independent party at least annually and automated scans of information systems and a manual review of systems not covered by such scans to analyze and report vulnerabilities. Covered entities are also required to have monitoring processes for emerging security vulnerabilities and the timely remediation of such vulnerabilities.
• Access Controls Section 500.7: Covered entities shall limit the use of privileged accounts with access to nonpublic information to the privileges necessary to perform the user’s job.
• Use of Multifactor Authentication Section 500.12: Covered entities should use multifactor authentication for (1) remote access to the entity’s information systems; (2) remote access to third-party applications; and (3) all privileged accounts.
• Asset Management and Data Retention Requirements Section 500.13: Covered entities are required to implement written policies that include a method to track key information for each asset.
• Encryption Section 500.15: Covered entities are required to implement a written policy requiring encryption that meets industry standards to protect nonpublic information.
• Business Continuity Section 500.16: Covered entities are required to establish written plans that contain proactive measures to investigate and mitigate disruptive events, including incident response, business continuity, and disaster recovery plans to address different types of cybersecurity events.
• Notice Requirements Section 500.17: Covered entities must provide the DFS with (1) notice of the cybersecurity event within 72 hours from occurrence, (2) information regarding the investigation of the cybersecurity event within 90 days of the occurrence of the event, and (3) notify the DFS in the event an entity is affected by a cybersecurity event at a third-party service provider within 72 hours of the occurrence of the cybersecurity event.

The Proposed Amendment’s comment period expired on January 9, 2023, and has a planned phased rollout beginning 180 days from the effective date of the Proposed Second Amendment.