Alternative Investment Managers located in NY: What you need to know about changes to NY DFS Cyber Regulations

As of November 1, 2023, Part 500 of the NYCRR has come into effect. Here’s what Alternative Investment Managers need to know about the new requirements of Part 500 and to whom they apply. 

What you should know —  Knowing whether or not your business falls within the scope of NYCRR Part 500 is the key to preparing properly for the upcoming regulatory deadlines.  

Part 500 defines a covered entity as “any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law, regardless of whether the covered entity is also regulated by other government agencies.” 

Limited exemptions are available for cover entities with fewer than 20 employees, less than $7.5 million in gross annual revenue from the last three fiscal years, and less than $15 million in year-end total assets. 

Additional exemptions may be available, depending on your business situation.  

Read more: Flowchart: Are you exempt from the NY DFS’s Cybersecurity Regulation? 

Why you should care — For businesses subject to Part 500, the amendment introduces several new rules to strengthen cybersecurity across the entire business lifecycle, including in business planning, decision-making, and ongoing risk management.  

Part 500’s new rules and changes include:  

  • Enhanced governance requirements 
  • Additional access and authorization controls 
  • Increased risk and vulnerability assessment frequency 
  • Improved incident response, business continuity, and disaster recovery planning 
  • New reporting requirements, including for ransomware payments 

In terms of enforcement, here are the regulation’s key dates/deadlines: 

April 29, 2024: Risk assessments and cybersecurity policies must now be reviewed and updated at least annually or when business changes cause a material impact on cyber risk. Conduct at least annual penetration testing from inside and outside information systems’ boundaries. Staff training must also occur on an annual basis. 

November 1, 2024: Several new cybersecurity governance rules come into effect, including updated CISO reporting requirements, encryption of nonpublic information, and updated requirements for superintendent notices of cybersecurity incidents. Training must be extended to those critical in the implementation of the Incident Response Plan and Disaster Recovery Plan. 

May 1, 2025: New rules regarding vulnerability management to ensure full coverage over the environment. New requirements for access and privilege management such as recurring audits.  

November 1, 2025: Businesses must implement multi-factor authentication (MFA) for all individuals accessing their information systems, including any third-party cloud applications.  

Read more: Learn the specifics with the Cybersecurity Implementation Timeline for Covered Entities. 

Get smart and take action — With Drawbridge Cyber Risk Assessments and Drawbridge Analytics, you can gain actionable remediation recommendations to help you meet the requirements of NYCRR Part 500. As an independent cyber vendor, Drawbridge can objectively assess your current cyber posture. 

Request a Drawbridge demo today