Introduction of “Class A companies”: The updated cybersecurity regulations create a new category for larger corporations called “Class A companies.” These entities are held to stricter standards.

• Class A companies include covered entities with at least $20 million in gross annual revenue and either more than 2,000 employees or more than $1 billion in gross annual revenue.
• Class A companies are now required to conduct audits of their cybersecurity programs; those audits must be independent. Notably, an independent audit can still be conducted by an internal auditor if the auditor is free from influence (not unlike a data protection officer employed under the General Data Protection Regulation). This requirement may make it challenging for companies to conduct legally privileged audits.

New board/c-suite obligations: Executives, board members and senior officers now have specific responsibilities to oversee the covered entities’ cybersecurity program. These internal governance bodies are crucial to the proper functioning of a cybersecurity program and highlight regulators’ increased focus on the board’s role in cybersecurity oversight.

• Chief information security officers are now required to report to the board or other equivalent bodies on material cybersecurity issues (e.g., significant cybersecurity events or changes to cybersecurity programs).
• The board or other equivalent bodies now have specific obligations to oversee cybersecurity risk management, including reviewing regular management reports and confirming that the cybersecurity program is properly funded.
• Boards and equivalent bodies must be qualified to conduct these oversight activities, including by undergoing training as necessary.

Cybersecurity policy updates: Covered entities must now document and maintain several additional cybersecurity policies and procedures (or ensure that their existing cybersecurity policies and procedures cover these new areas).

• Covered entities must maintain policies governing data retention, end-of-life management, remote access, security awareness and training, incident notification and vulnerability management.
• Covered entities must document procedures implementing each policy.
• Policies must be approved annually by the board or other equivalent bodies.

Enhanced technical security controls: The cybersecurity regulations impose additional technical requirements.

• Risk assessments must be conducted at least annually.
• More robust access management requirements are required, including annual reviews of all user access privileges.
• Multifactor authentication is now required (not just suggested) for any individual accessing a covered entity’s information systems. There is a narrow carve-out for entities below certain headcount, revenue or asset thresholds, but even those entities must use multifactor authentication in designated situations, such as remote access.
• Covered entities must monitor and filter web traffic and email to protect against malicious code.
• Cybersecurity awareness training must be provided annually.

Incident response plans and business continuity management: Covered entities must have documented business continuity and disaster recovery (BCDR) plans and include more specific content in incident response plans (IRPs).

• IRPs must now identify how covered entities will recover backups and include instructions for a root cause analysis following an incident.
• Covered entities must maintain BCDR plans that identify critical business functions, include communication plans in the event of cybersecurity-related disruption, detail procedures for backups and recovery of impacted data, and other requirements.
• IRPs and BCDR plans must be tested annually (e.g., via a tabletop exercise).

Asset inventories: Covered entities must now maintain asset inventories.

• Asset inventories must include the owner, location, classification or sensitivity, support expiration date and recovery time objectives.
• Covered entities must document how often they update and validate the asset inventories.

Notice requirements for cybersecurity incidents: Covered entities must notify the superintendent about additional cybersecurity incidents.

• Superintendent notice is now required for a broader range of cybersecurity incidents, including a ransomware attack in a material part of the company’s information systems.
• For any extortion payments, covered entities must provide electronic notice to the superintendent within 24 hours of the payment and provide additional detailed information within 30 days.

Exemptions: Limited exemptions from these requirements are available in slightly more circumstances, such as if a company meets any of the following criteria:

• If it has fewer than 20 employees (instead of 10).
• If it recorded less than $7.5 million in gross annual revenue in each of the last three fiscal years (instead of $5 million).
• If it recorded less than $15 million in year-end total assets (instead of $10 million).

Deadlines for compliance: Unless otherwise specified, the amendments will take effect on April 29, 2024. The exceptions to this compliance date are as follows:

Given the significant number of new requirements, covered entities should act quickly to assess any gaps and develop work plans to fill them. 

John Ying and Heidi Steele contributed to this article.