New reporting obligations for covered entities under New York Department of Financial Services (NYDFS) Part 500 Cybersecurity Regulations went into effect on December 1, 2023. These new requirements are one portion of the Part 500 amendment, which NYDFS adopted last month. Changes to different sections of Part 500 will be going into effect on a rolling basis over the next 24 months.

The updates that went into effect on December 1 are related to cybersecurity event reporting. Existing rules under section 500.17 require all cybersecurity events be reported electronically within 72 hours of becoming aware of an event. The new updates state that covered entities must report events that occur not just at the covered entity, but also at their affiliates and third-party service providers. Covered entities are also now required to update NYDFS with any new information about such cybersecurity events as the investigation continues.

Additionally, there is a new requirement where covered entities must report any extortion payments made. This includes 1) providing notice within 24 hours of an extortion payment made, and 2) providing additional information within 30 days of the extortion payment including why the payment was necessary and alternative solutions that the covered entity considered in lieu of a payment.

Below is a timeline for when updates to other sections go into effect over the next 24 months:

Paul Hastings continues to monitor guidance released from NYDFS about the amendment. We will continue to provide updates and are happy to assist covered entities with understanding how they need to comply with the updated amendment.