On November 1, 2023, the New York Department of Financial Services promulgated the 2nd Amendment to the New York State Cybersecurity Regulation, 23 NYCRR Part 500 (the “Amendment”). This post provides an overview of the new requirements introduced in the Amendment which will impact the operations and governance of all those subject to its provisions.
The Cybersecurity Regulation applies to all entities and individuals chartered, licensed, or approved to operate in New York by the state’s Department of Financial Services (each, a “Covered Entity”). The Regulation requires each Covered Entity to maintain a cybersecurity program, which extends to third party service providers of the Covered Entity and sets minimum standards to which the Covered Entity must comply.
The Amendment, which is effective November 1, 2023, rolls out changes outlined therein from November 1 transitionally though November 1, 2025. Of significant note, it bifurcates further the Covered Entity class by creating a “Class A” company category within the Covered Entity classification. In addition, it increases the acceptable employee count and revenue and asset criteria that Covered Entities need to have to avail themselves of the limited exemption compliance requirement. It also expands the annual compliance certification procedure to require 2 corporate officer signatories and adds a filing exemption application provision based upon hardship, impracticality, or good cause.
In addition to standard companies, and small companies (which includes individuals), the Amendment creates a new category of Class A companies. Class A companies are defined, amongst other things, as companies with at least $20,000,000 in gross annual revenue, and more than 2,000 employees or more than $1,000,000,000 in gross annual revenue. These entities are subject to every requirement in the Cybersecurity Regulation that standard and small companies are, as well as other new obligations, which take effect April 29, 2024, and May 1, 2025, including:
While annual reporting by a Covered Entity is still required by April 15 of each year, certifying compliance with the immediately preceding year’s regulations, there have been adjustments to the reporting requirements now in effect. Most notably, these include:
Exemptions available to Covered Entity’s range from limited to full in nature. Covered Entity’s which qualify for a limited exemption are not required to comply with certain sections of the Cybersecurity Regulation. Similarly, Covered Entity’s which qualify as fully exempt are not required to comply with any of the Cybersecurity Regulation (notwithstanding the initial filing of a Notice of Exemption) for as long as the Covered Entity remains qualified for a full exemption.
The Amendment changes the criteria for Covered Entities able to avail themselves of the limited exemption to include, amongst other things, those that have fewer than 20 employees and independent contractors and less than $7,500,000 in gross annual revenue or less than $15,000,000 in year end total assets. Each Covered Entity meeting this criteria is exempt from the cybersecurity obligations in 500.4 through 500.6, 500.8, 500.10, 500.14(a)1, a(2) and (b) in addition to 500.15 and 500.16 of the Cybersecurity Regulation.
Section 500.24 of the amended Regulation, which became effective November 1, 2023 provides for an exemption from the electronic filing and submission requirements upon approval, which request must be submitted for approval 30 days prior to the due date. Amongst other things, the request must state the grounds and rationale upon which it is being made. These include: undue hardship, impracticability or good cause, and whether the request for an exemption extends to future filings.
In a nutshell, one must:
Outlined herein is a high-level overview of some of the salient changes of the recent New York Cybersecurity Regulation 2nd Amendment. It is our intention that this overview serves to provide you with some generalized guidance and is therefore limited and not specific in nature. Should you have any questions please don’t hesitate to reach out to the 3H Corporate Services team for assistance. Kindly note that 3H Corporate Services and Creative Compliance Software Solutions are compliant with all third-party obligations required of a Covered Entity pursuant to New York State Cybersecurity Regulation, 23 NYCRR Part 500.