New York DFS Proposes Revisions to Landmark Cybersecurity Regulation
On Wednesday, November 9, 2022, the New York Department of Financial Services (“DFS”) announced proposed revisions to New York State’s landmark Cybersecurity Regulation, 23 NYCRR Part 500. The proposed amended regulation (“Amended Cybersecurity Regulation”) will be subject to comment for 60 days, after which DFS will review the comments received and either propose a revised version or adopt the final regulation. If adopted, the revisions will impose new requirements, including new reporting and access control requirements; enhanced governance obligations; detailed written policies, plans, and procedures; and enhanced testing and mandatory cybersecurity awareness training on an annual basis.
As our readers know, New York’s Cybersecurity Regulation applies to entities in the financial, banking and insurance sectors, referred to as “covered entities.” When first promulgated in 2017, the Cybersecurity Regulation was the first of its kind in the nation. Since then, numerous other states, as well as the federal government, have followed New York’s lead and adopted similar measures. With these recently proposed revisions, DFS is poised to cement its place at the forefront of the nation’s efforts to protect companies and consumers against cyber threats. According to DFS, the changes are necessary in order to “keep pace with new threats and technology purpose-built to steal data or inflict harm.”
Covered entities should start getting familiar with the Amended Cybersecurity Regulation now. An overview of some of the key changes is below.
New Notification Requirements
The existing Cybersecurity Regulation requires companies to notify DFS within 72 hours of certain “cybersecurity events.” The Amended Cybersecurity Regulation expands the definition of cybersecurity event to include (1) “where an unauthorized user has gained access to a privileged account” and (2) where ransomware had been deployed “within a material part of the covered entity’s information system.” Covered entities would be required to provide DFS with information regarding the investigation of the cybersecurity event within 90 days of providing notice. A covered entity would also be required to notify DFS within 72 hours of becoming aware that it has been affected by a cybersecurity event at a third-party service provider. Finally, the Amended Cybersecurity Regulation requires covered entities to notify DFS within 24 hours of making ransom payment, as well as provide a written description within 30 days of why the payment was necessary.
The existing Cybersecurity Regulation requires companies to submit a written notice of compliance every year, which the Amended Cybersecurity Regulation clarifies must be supported by sufficient data and documentation. Alternatively, a covered entity would be permitted to submit a written acknowledgement that describes any areas of noncompliance, identifies areas of improvement, and provides remediation plans with a timeline for implementation.
Enhanced Governance Obligations
Like the Security & Exchange Commission’s proposed rule, the Amended Cybersecurity Regulation also introduces new rules placing responsibility for information security and compliance with the covered entity’s “senior governing body.” The Cybersecurity Regulation already requires each covered entity to have a chief information security officer (CISO). The Amended Cybersecurity Regulation clarifies that the CISO must have adequate authority and independence to manage cybersecurity risks and implement cybersecurity programs. The CISO would also be required to review cybersecurity policies and procedures annually and “timely report” any cybersecurity issues to the company’s senior governing body.
Additionally, a company’s board of directors or equivalent, as opposed to a “senior officer,” would be responsible for approving its cybersecurity policies on annual basis. Boards would be required to have “sufficient expertise” regarding cybersecurity and exercise oversite and direction over the company’s cybersecurity risk management.
Policies, Plans, and Procedures
The revisions clarify that companies’ written cybersecurity policies and procedures must address data retention, end of life management, remote access controls, security awareness and training, incident notification, and vulnerability management. These policies and procedures must ensure that covered entities conduct annual penetration testing and scans and reviews of their systems, as well as have processes in place to detect, document, and remedy any new security vulnerabilities.
Covered entities would be required to have written policies and procedures to ensure complete and accurate asset inventory, as well as written password and encryption policies in line with industry standards. The revisions include further details that covered entities must include in their written incident response plans and specifies that companies must also have a detailed written business continuity and disaster recovery plan.
Testing, Training, and Technology
The Amended Cybersecurity Regulation includes numerous new testing, training, and technology mandates. Covered entities would be required to:
- Conduct annual risk assessments and penetration testing of their information systems;
- Implement controls that protect against malicious code;
- Provide annual cybersecurity training, including social engineering exercises, for all personnel, as well as specialized training and testing for employees responsible for implementing incident response and business continuity and disaster recovery plans;
- Maintain and test backups; and
- Use multi-factor authentication in connection with remote access and privileged accounts.
The revisions also include strict limitations on privileged accounts and access functions.
Heightened Requirements for Large Companies
In addition to the general obligations discussed above, the Amended Cybersecurity Regulation would impose heightened requirements on large entities designated as “Class A companies.” The Amended Cybersecurity Regulation defines “Class A companies” as covered entities with at least $20,000,000 in gross annual revenue in each of the last two fiscal years from business operations of the covered entity and its affiliates in New York and over 2,000 employees or over $1 billion in gross annual revenues averaged over the last three years from all business operations of the company and its affiliates. Class A companies would be required to conduct an annual independent audit of their cybersecurity programs and a risk assessment using external experts at least once every three years. They would also be required to implement a privileged access management solution, an automated method of blocking commonly used passwords, an endpoint detection and response solution to monitor anomalous activity, and a solution that centralizes logging and security event alerting.
Compliance and Enforcement
Finally, the revisions provide new enforcement guidance. Notably, the Amended Cybersecurity Regulation clarifies that the commission of a single prohibited act or the failure to satisfy a required obligation constitute a violation of the Cybersecurity Regulation. Additionally, the Amended Cybersecurity Regulation provides a non-exhaustive list of aggravating and mitigating factors that DFS should consider when assessing a penalty for a violation.
If the Amended Cybersecurity Regulation is adopted, covered entities would have 180 days to come into compliance with most of its provisions, but would only have 30 days to comply with the notification requirements. We will continue to monitor and report on whether DFS adopts the Amended Cybersecurity Regulation and whether other states once again follow New York’s lead and adopt similar measures.