PH Privacy

New NYDFS Part 500 Requirements Continue to Become Effective

December 06, 2023

By Jeremy Berkowitz

New reporting obligations for covered entities under New York Department of Financial Services (NYDFS) Part 500 Cybersecurity Regulations went into effect on December 1, 2023. These new requirements are one portion of the Part 500 amendment, which NYDFS adopted last month. Changes to different sections of Part 500 will be going into effect on a rolling basis over the next 24 months.

The updates that went into effect on December 1 are related to cybersecurity event reporting. Existing rules under section 500.17 require all cybersecurity events be reported electronically within 72 hours of becoming aware of an event. The new updates state that covered entities must report events that occur not just at the covered entity, but also at their affiliates and third-party service providers. Covered entities are also now required to update NYDFS with any new information about such cybersecurity events as the investigation continues.

Additionally, there is a new requirement where covered entities must report any extortion payments made. This includes 1) providing notice within 24 hours of an extortion payment made, and 2) providing additional information within 30 days of the extortion payment including why the payment was necessary and alternative solutions that the covered entity considered in lieu of a payment.

Below is a timeline for when updates to other sections go into effect over the next 24 months:

Effective Date

Part 500 Section

December 1, 2023

Reporting Cybersecurity Events (500.17)

Extortion Payment Notifications (500.17)

April 15, 2024

Certification of Compliance (500.17)

April 29, 2024

Independent Audits (500.2)

Vulnerability Management (500.5)

Cybersecurity Policies (500.3)

Risk Assessments (500.9)

Cybersecurity Awareness Training (500.14)

November 21, 2024

Cybersecurity Governance (500.4)

Encryption (500.15)

Incident Response Plans (500.16)

Small Business Requirements (50.19)

May 1, 2025

Vulnerability Scans (500.5)

User Access Privileges (500.7)

Malicious Code, Endpoint Detection (500.14)

November 1, 2025

Multi-factor Authentication (500.12)

Asset Inventory (500.13)

Paul Hastings continues to monitor guidance released from NYDFS about the amendment. We will continue to provide updates and are happy to assist covered entities with understanding how they need to comply with the updated amendment.

For More Information

Image: Jeremy Berkowitz
Jeremy Berkowitz

Senior Privacy Director and Deputy Chief Privacy Officer

Get In Touch With Us

Contact Us