On June 28, 2023, the New York Department of Financial Services (“NYDFS”) published an updated proposed Second Amendment (“Amendment”) to its Cybersecurity Regulation, 23 NYCRR Part 500. On November 9, 2022, NYDFS published a first draft of the proposed Amendment and received comments from stakeholders over a 60-day period. The updated proposed Amendment will be subject to an additional 45-day comment period.
As a result of the initial 60-day comment period, the updated Amendment incorporates a number of changes, including the following:
- NYDFS clarified the thresholds for calculating when covered entities qualify as “Class A Companies,” which would be subject to heightened requirements. A “Class A Company” is a covered entity with at least $20 million in gross annual revenue in each of the last two fiscal years from business operations of the entity and its affiliates in NY and: (1) over 2,000 employees averaged over the last two fiscal years across both the entity and its affiliates; or (2) over $1,000,000,000 in gross annual revenue in each of the last two fiscal years from all business operations of the entity and its affiliates. The updated proposed Amendment clarified that, when calculating the number of employees and gross annual revenue, “affiliates” include only those that share information systems, cybersecurity resources or all or any part of a cybersecurity program with the relevant covered entity.
- NYDFS clarified that, while Class A Companies would still be required under the amendments to conduct an “independent audit” of their cybersecurity programs at least annually, such “independent audits” include those conducted by internal auditors free to make decisions (in addition to external auditors).
- NYDFS narrowed the previously proposed definition of “privileged account” so that it is now applies to “any authorized user account or service account that can be used to perform security-relevant functions that ordinary users are not authorized to perform, including but not limited to the ability to add, change, or remove other accounts, or make configuration changes to information systems to make them more or less secure.” The proposed Amendment would still require covered entities to comply with a host of new access control obligations concerning privileged accounts, and notify NYDFS within 72 hours upon becoming aware of a cybersecurity event where an unauthorized user has gained access to a privileged account.
- NYDFS clarified that where a cybersecurity program or part of a cybersecurity program is adopted from an affiliate, the “senior governing body” (e.g., a board or equivalent governing body) may be that of the affiliate. As described below, senior governing bodies would have new oversight responsibilities under the amendments.
- Senior Governing Bodies: NYDFS narrowed the previously proposed responsibilities for senior governing bodies by removing the requirement to “provide direction to management on the covered entity’s cybersecurity risk management.” The updated Amendment and supplemental NYDFS guidance clarifies the senior governing body’s primary duty is effective oversight of the entity’s cybersecurity risk management, not involvement in day-to-day operations of management. In addition, NYDFS softened the previously proposed requirement that the senior governing body “have sufficient expertise and knowledge, or be advised by persons with sufficient expertise and knowledge, to exercise effective oversight of cybersecurity risk management” by replacing it with a requirement to “have sufficient understanding of cybersecurity-related matters to exercise such oversight, which may include the use of advisors.”
- Risk Assessments: NYDFS removed in its entirety the previously proposed requirement under Section 500.9(d) that, at least once every three years, Class A companies use external experts to conduct their required risk assessments.
- Incident Response Plan (“IRP”) and Business Continuity and Disaster Recovery Plan (“BCDRP”):
- NYDFS added a proposed requirement that the covered entity’s incident response plan address preparation of a “root cause analysis that describes how and why the event occurred, what business impact it had, and what will be done to prevent reoccurrence.”NYDFS clarified that a covered entity’s BCDR plan, which would required under the proposed amendments, must be designed to ensure availability and functionality of the covered entity’s information systems and material services, and protect personnel, assets and non-public personal information, in the event of a cybersecurity-related disruption to normal business activities.
- NYDFS clarified that covered entities would need to engage in annual testing of both their IRPs and BCDRPs with all staff critical to the response, including senior officers and the highest-ranking executive at the covered entity.
- Backups: With respect to the proposed requirements to maintain and test backups, NYDFS (1) clarified that a covered entity must annually test its ability to restore its “critical data and information systems” from backups; and (2) limited the previously proposed requirement that covered entities maintain backups to those “necessary to restoring material operations.”
- Automated Password Blocker: NYDFS clarified that the requirement for Class A companies to implement “an automated method of blocking commonly used passwords” applies only to accounts on information systems “owned or controlled by a Class A company” and for all other accounts only where “feasible.”
- Multifactor Authentication (“MFA”): NYDFS significantly expanded the scope of the proposed MFA requirements so that they are now aligned with the MFA requirements under the FTC Safeguards Rule. Whereas the original proposed Amendment required MFA only for certain privileged accounts and for remote access to the covered entity’s systems and third-party applications, the updated proposed Amendment broadly requires MFA for any access to the entity’s systems, regardless of whether that access is remote, unless the covered entity qualifies for a limited exemption (in which case the entity must follow the originally proposed MFA requirements). As an alternative, a covered entity’s Chief Information Security Officer (“CISO”) may approve in writing the use of reasonably equivalent or more secure compensating controls, although such controls would need to be reviewed at least annually.
Notifications and Certifications to NYDFS
- Cybersecurity Event Reporting: NYDFS eliminated the previously proposed requirement that covered entities notify NYDFS within 72 hours if they were affected by a cybersecurity event at a third-party service provider. In its place, NYDFS clarified that the other thresholds for cybersecurity event reporting (e.g., an event that has a reasonable likelihood of materially harming a material part of an entity’s normal operations) are met irrespective of whether the event occurred at the covered entity or its service provider. In addition, NYDFS removed the previously proposed requirement to update NYDFS within 90 days of its cybersecurity event notice and replaced it with an obligation to promptly provide information upon NYDFS’s request.
- Annual Certification of Compliance: Currently, companies are required to annually certify their compliance with the NYDFS Cybersecurity Regulations for the prior calendar year. In the updated proposed Amendment, NYDFS has proposed narrowing the scope of the certification to material compliance. In addition, under the original proposed Amendment, NYDFS added an alternative option to the annual certification of compliance that would permit covered entities to submit a written acknowledgement that they did not fully comply with all requirements. In the updated version of the proposed Amendment, NYDFS softened the requirement regarding the written acknowledgment, removing the obligation to identify “all areas, systems and processes that require material improvement, updating or redesign.”
In addition, under the original version of the Amendment, while covered entities were required to comply with some of the new requirements within 180 days of the Amendment’s affective date, other requirements were subject to transitional periods of one year, 18 months, or two years, respectively. Under the updated version of the Amendment, more of the new requirements would be subject to the lengthier transition periods. The new MFA requirements, for example, would be subject to the two-year transition period.
NYDFS provides supplemental detail regarding its revisions to the proposed Amendment and the rationale for these changes in its Assessment of Public Comments. Comments on the updated proposed Amendment must be submitted in writing to NYDFS by 5 pm ET on Monday, August 14, 2023. Submissions should be sent by email to firstname.lastname@example.org or by mail to the New York State Department of Financial Services c/o Cybersecurity Division, Attn: Joanne Berman, 1 State Street Plaza, Floor 19, New York, NY, 10004.