On Nov. 9, 2022, the New York Department of Financial Services (NYDFS) issued a proposed second amendment to its 2017 cybersecurity regulation for financial service companies.^[1] In July 2022, NYDFS issued a draft version of the changes, but the current amendment has significant changes. Most of the proposed changes will take effect 180 days after final regulation adoption, likely soon after the comment period closes on Jan. 9, 2023, making most new regulations effective after July 8, 2023.^[2]

Go-To Guide:

• Detailed requirements of NYDFS’ proposed amendments to the cybersecurity regulation;

• Heightened requirements for larger financial services companies (“Class A Companies”);

• Changes to limited exemptions.

***

The proposed amendments move beyond administrative and technical safeguards to granular regulations on cybersecurity governance and risk management. Additionally, NYDFS places stricter requirements, detailed below, on larger financial services companies, “Class A Companies.” Class A Companies are those with greater than or equal to $20 million in New York gross annual revenue in the last two fiscal years, and either: greater than 2,000 employees (including affiliate’s employees), or greater than $1 billion in gross annual revenue (including affiliate revenue) globally in the last two fiscal years. With the new regulations expected to take effect in 2023 (potentially as early as March for sections with a 30-day implementation timeline), companies should begin planning and budgeting for the changes now to avoid legal compliance risks.

New Requirements for All Covered Entities:

• Chief Information Security Officer (CISO) Authority & Responsibility. Grant CISOs authority to manage cybersecurity risks appropriately, including the ability to direct sufficient resources to implement and maintain a cybersecurity program, and require that the CISO report to the senior governing body on any material cybersecurity issues. (500.4(a), (c))

• Senior Governing Body. The Board of Directors, or similar managerial body, must annually approve the written cybersecurity policy which must include policies regarding data retention, asset disposition, security awareness and training, breach notification, encryption requirements for nonpublic information, and vulnerability management. (500.3, 500.15) Additionally, the Board must provide oversight and direction regarding management of the cyber risk management program. (500.4(d))

• Vulnerability Management. Develop written vulnerability management policies and procedures, including: annual penetration testing inside/outside information systems’ boundaries; automated scans of information systems (manual review of systems not covered by scans)^[3]; continuous monitoring for security vulnerabilities; and document material issues found during testing and report issues to the senior governing body and senior management. (500.5)

• Access Management. Conduct at least annually a user access privilege review, promptly terminate access after employee departures, and implement a written password policy that meets industry standards. (500.7)

• Multi-factor Authentication (MFA).^[4] MFA implemented for remote access to all privileged accounts (admin or security accounts), as well as to access the entity or third-party applications (including cloud based) which host nonpublic information. If the CISO approves more secure compensating controls in writing, they must be reviewed at least annually. (500.12)

• Data Inventory.^[5] Maintain an asset inventory of all hardware and software, including their location and accessibility. (500.13)

• Training and Monitoring. Implement controls that protect against malicious code, including on web traffic and email to block malicious content,^[6] and provide at least annual training with social engineering exercises to all employees. (500.14(a))

• Business Continuity, Disaster Recovery (BCDR), & Incident Response Plans (IRP). At least annually, test the ability to restore systems from network-isolated backups^[7], and test and revise as needed their BCDR plan & IRP (including disruptive events like ransomware). Additionally, training must be provided to the employees responsible for implementing the respective plans.

  • BCDR Plan. In addition, the BCDR plan must: identify documents/data, personnel, facilities, infrastructure, and competencies essential to continued operations; identify the supervisory personnel responsible for implementing each aspect of the plans; include communications plans, procedures to create offsite backups and maintain backup facilities. The draft amendments would also require that relevant employees be trained for their implementation. (500.16)

• Third Party Event Notification.^[8] The 72-hour notification requirement for cybersecurity events now requires entities to report events affecting them which occur at or within third-party service providers. Entities are required to provide, via NYDFS’ website form, “any information requested regarding the investigation of the cybersecurity event,” with an ongoing obligation to update and supplement the NYDFS form.

• Ransomware & Extortion Payment Reporting. Covered entities must now report if they experience a cybersecurity event involving ransomware. In addition, if extortion payments are made in connection with the ransomware event, the entity must: (1) submit notice of payment within 24 hours; and (2) within 30 days of payment, provide a written description of the reasons payment was necessary, a description of alternatives considered. (500.17)

• Annual Certification of Compliance.^[9] The certification now includes a written acknowledgement that provides remediation plans and a timeline for their implementation. (500.17)

New Requirements for Class A Companies:

• Audits and Risk Assessments. Conduct an independent audit (using external auditors) of the cybersecurity program at least annually. (500.2(c)) Use external experts to conduct a risk assessment at least every three years. (500.9(d))

• Access Management.^[10] Implement privileged access management solution and an automated method of blocking commonly used passwords. (500.7(b))

• Training and Monitoring.^[11] Implement endpoint detection and response solution to monitor anomalous activity (including lateral movement), and a solution centralizing logging and security event alerting. (500.14(b))

The proposed amendments also provide changes to the limited exemptions for small companies. An entity (including affiliates) with either fewer than 20 employees (including independent contractors) or less than $15 million in year-end total assets, is exempt from the following regulation sections: 500.4 (CISO requirements), 500.5 (penetration testing and vulnerability assessments), 500.6 (audit trails), 500.8 (application security), 500.10 (cybersecurity personnel), 500.14 (training and monitoring), 500.15 (encryption), and 500.16 (BCDR & IRP Plans).

NYDFS has taken note of the comments submitted to the original draft changes published in July; while they retained many of the proposed changes, the new version provides clarifications, relaxes some of the implementation timelines, and removes certain requirements for Class A Companies (such as weekly vulnerability scans and requiring password vaults for privileged access).

FOOTNOTES

[1] 23 NYCRR § 500 et seq.

[2] The amendment’s 60-day comment period is open to public feedback until 5 pm EST on Monday, Jan. 9, 2023. Comments must be submitted in writing either via email or by mail to the New York State Department of Financial Services c/o Cybersecurity Division, Attn: Joanne Berman, One State Street, Floor 19, New York, NY, 10004. No special form is required.

[3] Covered entities have 18 months from the amendment’s effective date to implement automated scans of information systems per 500.5(a)(2).

[4] Covered entities have 18 months from the amendment’s effective date to implement MFA per 500.12(b).

[5] Covered entities have two years from the amendment’s effective date to implement the asset management and data inventory requirements per 500.13(a).

[6] Covered entities have 18 months from the amendment’s effective date to implement protections against malicious code per 500.14(a)(2).

[7] Covered entities have one year from the amendment’s effective date to implement network isolated backups per 500.16(e).

[8] Covered entities have 30 days from the amendment’s effective date to implement notification requirements per 500.17.

[9] Covered entities have 30 days from the amendment’s effective date to implement notification requirements per 500.17.

[10] Class A companies have 18 months from the amendment’s effective date to implement changes to passwords per 500.7(b).

[11] Class A companies have 18 months from the amendment’s effective date to implement endpoint and centralized logging solutions per 500.14(b).

Matthew White and Tessa Cierny also contributed to this article.