We wanted to remind employers that on November 1, 2023, the New York Department of Financial Services (NYDFS) adopted an update to the Regulations on Cybersecurity in cyber threats. This also involved a phased compliance implementation.

According to the NYDFS, there are 5 dates for the phased compliance deadlines:

• November 1, 2023
• December 1, 223
• April 29, 2024
• November 1, 2024
• May 1, 2025
• November 1, 2025

On November 1, 2024, covered entities should:

• Multi-Factor Authentication (MFA) and Encryption.
• Cybersecurity Awareness and Training.
• Chief Information Security Officer (CISO) Reporting and Oversight.
• Incident Response and Business Continuity Plans.
• Backup and Recovery.

On May 1, 2025, covered entities should:

• Implement controls to protect against malicious code by monitoring and filtering web traffic and email, and deploy an endpoint detection and response solution along with centralized logging and security event alerts. The CISO can approve reasonably equivalent or more secure compensating controls, but this approval must be in writing.

On November 1, 2025, covered entities should:

• Implement MFA for all individuals accessing any of a CE’s information systems, with the CISO able to approve reasonably equivalent or more secure compensating controls, reviewed at least annually.

• Establish written policies and procedures to maintain a complete, accurate, and documented asset inventory of information systems, including methods to track key information such as owner, location, and update frequency.

For additional information and resources:

• NYDFS Compliance Guide
• NYDFS SECOND AMENDMENT TO 23 NYCRR 500

This communication is intended solely for the purpose of conveying information. The present post might incorporate hyperlinks directing readers to websites managed by third-party entities. The inclusion of any links within this communication is meant to serve as points of reference and could encompass opinion articles from various law firms, articles from HR associations, official websites, news releases, and documents of government agencies, and other relevant third-party sources. Vensure has no authority over these external websites and bears no responsibility for their content. Furthermore, Vensure does not endorse the materials present on these websites. The contents of this communication should not be interpreted as legal advice or as a legal standpoint concerning specific facts or scenarios. Nor should it be deemed an exhaustive compilation of facts potentially pertinent to federal, state, or local laws. It is strongly advised that employers solicit legal guidance from an employment attorney when undertaking actions in response to any legal updates provided. This is due to the possibility of future alterations occurring in federal, state, and local laws, regulations, as well as the directives and guidelines issued by governing agencies. These changes may transpire at any given time, potentially rendering certain portions of the content within this update void or inaccurate.