Summary of New Requirements in Second Amendment to 23 NYCRR 500 Cybersecurity Regulation, Risk Assessment, and General thoughts on Definition

The new requirements reflect a focus on continuous assessments, refined risk assessments, new executive oversight, refined audit roles, and improvements to the organization’s cybersecurity program.

One salient change is the expanded definitions provided, which lend clarity and set clear expectations. For example, the definition of "Risk Assessment" now includes specifics on evaluating and categorizing risks, assessing confidentiality/integrity/availability of systems and data, and establishing risk mitigation plans.

This closes previous gaps that caused confusion among regulated entities, some of whom approached risk assessments as control evaluations rather than a comprehensive analysis of threats, vulnerabilities, and security controls required to meet residual risk targets.

Truly understanding risk requires clarity on the assets requiring defense (via asset management), their criticality (through business impact analysis), awareness of adversary techniques that could breach those assets, and measured solutions to mitigate risk to tolerable levels. Defining these foundational elements sets consistent expectations for regulated entities to perform robust risk assessments that adequately identify and prepare for cybersecurity threats (see illustrations and best practice citations below).

The enhanced definitions and other regulatory changes reflect tighter oversight and higher standards to improve New York's statewide cybersecurity, and arguably most other state security requirements.

NIST RA Examples:

NIST 800-30 Cycle

NIST RMF

https://csrc.nist.rip/groups/SMA/fisma/Risk-Management-Framework/index.html

https://csrc.nist.gov/pubs/sp/800/37/r2/final

Summary of New Requirements in Second Amendment to 23 NYCRR 500 Cybersecurity Regulation:

The below is a reconciliation of all New, Amended, and Existing requirements and compliance elements that could typically be used to meet the Section requirements. Specific details on compliance expectations with the requirements can be found in the original extract here . Note: this is not legal advice.

Section 500.1 Definitions (AMENDED)

• Class A company (NEW): A new category for entities with specific revenue and employee thresholds, which includes additional requirements for independent audits.
• Cybersecurity Incident (AMENDED): A clarified definition that distinguishes incidents from events and specifies the criteria that qualify an event as an incident.
• Independent Audit (NEW): A new definition that emphasizes the need for audits to be conducted without influence from the entity being audited.
• Privileged Account (NEW): A definition for accounts with special permissions, highlighting the need for stricter controls over these accounts.

Compliance Elements for Section 500.1:

• Class A Companies: Must conduct independent audits based on risk assessment if meeting defined revenue and employee thresholds.
• Cybersecurity Incident Response: Must have protocols to respond to incidents as defined in the amended regulation.
• Privileged Account Management: Must implement controls to manage and secure privileged accounts.

Section 500.2 Cybersecurity Program (AMENDED)

• Independent Audits for Class A Companies (NEW):(c) Each class A company shall design and conduct independent audits of its cybersecurity program based on its risk assessment.

Compliance Elements for Section 500.2:

• Independent Audits:Class A companies must schedule and conduct independent audits annually.

Section 500.3 Cybersecurity Policy (NO CHANGE)

• Covered entities must develop, implement, and annually review written cybersecurity policies approved by senior leadership or governing body.
• Policies must address required areas such as information security, asset management, access controls, etc.

Section 500.4 Cybersecurity Governance (NEW)

• CISO Report (NEW):(b) The CISO of each covered entity shall report in writing at least annually to the senior governing body on the covered entity’s cybersecurity program, including to the extent applicable:
• Oversight of Cybersecurity Risk Management (NEW):(d) The senior governing body of the covered entity shall exercise oversight of the covered entity’s cybersecurity risk management.

Compliance Elements for Section 500.4:

• CISO Annual Report: Must be prepared and delivered to the senior governing body annually.
• Oversight: Regular reviews and resource allocation confirmation by the senior governing body.

Section 500.5 Vulnerability Management (AMENDED)

• Penetration Testing (AMENDED):(a) Each covered entity shall, in accordance with its risk assessment, develop and implement written policies and procedures for vulnerability management that are designed to assess and maintain the effectiveness of its cybersecurity program.
• Vulnerability Assessments (AMENDED):(a) Each covered entity shall, in accordance with its risk assessment, develop and implement written policies and procedures for vulnerability management that are designed to assess and maintain the effectiveness of its cybersecurity program.

Compliance Elements for Section 500.5:

• Penetration Testing: Must be conducted at least annually by a qualified internal or external party.
• Vulnerability Assessments: Frequency is determined by risk assessment and must be conducted promptly after significant system changes.

Section 500.6 Audit Trail (NO CHANGE)

• Covered entities must implement systems to reconstruct material transactions and detect cybersecurity events.
• Required records must be retained for 5 years (transactions) and 3 years (cyber events).

Section 500.7 Access Privileges (AMENDED)

• Requires limiting access privileges and use of privileged accounts based on need and role. Periodic review of access. Password policy.
• Privileged Access Monitoring (NEW):(c) Each class A company shall monitor privileged access activity and shall implement: (1) a Privileged Access Management (PAM) Solution; and(2) Automated method of blocking commonly used passwords

Compliance Elements for Section 500.7:

• Covered entities must limit access privileges based on user needs and roles.
• Privileged accounts must be restricted and monitored.
• Access must be reviewed periodically and removed when no longer needed.
• A password policy meeting industry standards must be implemented.
• Privileged Access Monitoring: Class A companies must implement solutions to monitor privileged access activity.
• PAM implementation

Section 500.8 Application Security (NO CHANGE)

• Requires written procedures for secure development of in-house and external applications. Annual review by CISO.

Compliance Elements for Section 500.8:

• Written procedures must be implemented for secure development of applications.
• Procedures must be reviewed annually by the CISO.

Section 500.9 Risk Assessment (AMENDED)

• Risk assessments must be conducted periodically to identify and prioritize cybersecurity risks.
• Assessments must be reviewed and updated at least annually and after material changes.

Compliance Elements for Section 500.9:

• Risk assessments must follow defined procedures for evaluating and categorizing risks.
• Assessments must address confidentiality, integrity and availability of systems and data.
• Risk mitigation plans must be established.

Section 500.10 Cybersecurity Personnel (NO CHANGE)

• Covered entities must utilize qualified personnel to perform core cybersecurity functions.
• Personnel must receive regular cybersecurity updates and training.

Compliance Elements for Section 500.10:

• Covered entities must utilize qualified personnel to perform core cybersecurity functions.
• Personnel must receive regular cybersecurity updates and training.

Section 500.11 Third Party Security (NO CHANGE)

• Requires written policies and procedures for security of third party systems/data access. Required due diligence and assessments.

Compliance Elements for Section 500.11:

• Written policies and procedures must be implemented for third party security.
• Due diligence and assessments of third parties must be performed.

Section 500.12 Multi-Factor Authentication (AMENDED)

• Requires MFA for any system access unless qualified for exemption. CISO can approve alternatives.

Compliance Elements for Section 500.12:

• Multi-factor authentication must be implemented for all system access.
• Alternatives may be approved in writing by the CISO.

Section 500.13 Asset Management (AMENDED)

• Requires documented asset inventory with defined elements like owner and classification. Secure disposal procedures.

Compliance Elements for Section 500.13:

• An asset inventory must be maintained with required elements documented.
• Secure disposal procedures must be implemented.

Section 500.14 Training and Monitoring (NEW)

• Training and Monitoring (NEW):(a) As part of its cybersecurity program, each covered entity shall:

Compliance Elements for Section 500.14:

• Cybersecurity Training (NEW): Must be conducted regularly to ensure that all personnel are aware of cybersecurity risks and required mitigating behaviors.

Section 500.15 Encryption (AMENDED)

• Requires encryption of nonpublic data in transit and at rest per industry standards unless CISO approves compensating controls. CISO reviews annually.

Compliance Elements for Section 500.15:

• Nonpublic data must be encrypted in transit and at rest per industry standards.
• CISO may approve compensating controls with annual review.

Section 500.16 Incident Response & Business Continuity (AMENDED)

• Requires written incident response and business continuity/disaster recovery plans. Periodic testing of plans and restoration capabilities required.

Compliance Elements for Section 500.16:

• Written incident response and business continuity plans must be developed and implemented.
• Plans must be periodically tested and updated.

Section 500.17 Notices to Superintendent (NEW)

• Notices to Superintendent (NEW):(a) Notice of cybersecurity incident.
• Compliance Certification (NEW):(b) Notice of compliance.

Compliance Elements for Section 500.17:

• Notification (NEW): Must be made within 72 hours in the event of a material cybersecurity incident, as defined by the updated regulations.
• Compliance Certification (NEW): Annual certification or acknowledgement of compliance signed by highest-ranking executive and CISO.

Section 500.18 Confidentiality (NO CHANGE)

• Information provided by a covered entity pursuant to this Part is subject to exemptions from disclosure under applicable laws.

Section 500.19 Exemptions (AMENDED)

• Defines qualifying exemptions from certain provisions.

Compliance Elements for Section 500.19:

• Covered entities must file required notices to claim eligible exemptions.

Section 500.20 Enforcement (NEW)

• Authorizes Superintendent to enforce regulation under applicable laws.

Section 500.21 Effective Date (NO CHANGE)

• Initial regulation effective 3/1/2017, amendment effective 11/1/2023.

Section 500.22 Transitional Periods (AMENDED)

• Phased compliance time frames for initial and amended regulation.

Section 500.23 Severability (NO CHANGE)

• Standard severability clause.