The New York Department of Financial Services (NYDFS) has proposed significant amendments (Proposed Amendments) to its Cybersecurity Requirements for Financial Services Companies (Cybersecurity Regulation).
Among other things, the Proposed Amendments would add numerous requirements related to oversight by covered entities' boards of directors (or equivalent governing bodies), incident reporting for ransomware attacks and extortion payments, and the maintenance and testing of incident response and business continuity plans and system backup solutions. NYDFS is accepting public comments on the Proposed Amendments until January 9, 2023 (60 days after publication of the Proposed Amendments). Instructions for submitting comments are provided on NYDFS's Cybersecurity Resource Center site.
The Proposed Amendments were released on November 9, 2022, and are similar to a set of proposed amendments to the Cybersecurity Regulation that briefly appeared on the NYDFS website in July 2022, which we discussed previously. Changes would include:
- New requirements for covered entities' boards of directors (or equivalent governing bodies) and senior management to play a direct role in development and oversight of cybersecurity programs;
- A new category of larger covered entities, called "Class A companies," which would be required to obtain independent audits of their information security programs and use third-party experts to conduct risk assessments, among other requirements;
- New requirements pertaining to CISOs, including that CISOs timely report material cybersecurity incidents to the entity's board of directors and "have adequate authority to ensure cybersecurity risks are appropriately managed, including the ability to direct sufficient resources to implement and maintain a cybersecurity program";
- Expansion of the Cybersecurity Regulation's existing 72-hour notification requirements to require notification to NYDFS of ransomware attacks and unauthorized access to privileged accounts;
- A new requirement to notify NYDFS within 24 hours of making an extortion payment, such as to decrypt ransomed data, and whether payment was necessary; and
- Additional administrative and technical safeguards, including to maintain an asset inventory and written business continuity plan (BCP), and to annually test the company's incident response plan, BCP, and system backup procedures.
We summarize these and other changes introduced by the Proposed Amendments below.
Additional Board Oversight
The Proposed Amendments would create several new obligations for members of a covered entity's board of directors or an equivalent governing body relating to cybersecurity oversight, including to:
- Approve cybersecurity policies at least annually;
- Oversee and direct management on the covered entity's cybersecurity risk management;
- Require the covered entity's executive management or its delegates to develop a cybersecurity program; and
- Possess sufficient expertise and knowledge, or be advised by persons with sufficient expertise and knowledge, to exercise effective oversight of cybersecurity risk management.
In addition, material gaps in the covered entity's cybersecurity practices that are identified during testing must be documented and reported to the board and senior management.
Class A Companies and Requirements
The Proposed Amendments create a new category of Class A companies, which are defined as covered entities with at least $20 million in gross annual revenue in each of the last two fiscal years and either an average of 2,000 employees in each of the last two fiscal years or more than $1 billion in gross annual revenue in each of the last two fiscal years. Note that for purposes of calculating number of employees and gross annual revenue, the Proposed Regulations include both the covered entity and its affiliates, regardless of where employees are located or revenue is earned.
In addition to the requirements for all covered entities, the Proposed Regulations would require Class A companies to:
- Conduct annual independent audits of their cybersecurity programs;
- Implement a privileged access management solution and an automated method for blocking commonly used passwords for all accounts (or the use of reasonably equivalent controls if use of such password blocking is infeasible and the CISO approves in writing of the alternate controls);
- Use external experts to conduct risk assessment at least once every three years; and
- Implement an endpoint detection and response (EDR) solution to monitor anomalous activity, including but not limited to lateral movement, and a solution that centralizes logging and security event alerting (or the use of reasonably equivalent controls if use of such technologies is infeasible and the CISO approves in writing of the alternate controls).
New Notification Requirements
The proposed amendments would require covered entities to electronically notify the NYDFS Superintendent within 72 hours of:
- Cybersecurity events in which an unauthorized user gained access to a "privileged account," defined as any user or service account that can (1) perform security-related functions ordinary users are not authorized to perform, or (2) affect a material change to the technical or business operations of the covered entity, or
- Cybersecurity events that resulted in the deployment of ransomware within a material part of the covered entity's information system.
Covered entities, in the event an extortion payment is made in connection with a cybersecurity event, would be required to provide the NYDFS Superintendent with:
- Notice of having made an extortion payment within 24 hours of making that payment, and
- Within 30 days of the extortion payment, a written description of the reasons payment was necessary, a description of alternatives to payment considered, all diligence performed to find alternatives to payment, and all diligence performed to ensure compliance with applicable rules and regulations, including those of the Office of Foreign Assets Control.
Annual Reporting and Certifications
The Cybersecurity Regulation presently requires covered entities to submit annual certifications of compliance to NYDFS. The Proposed Amendments would require the entity's CISO and CEO to annually sign the certification of compliance or, alternatively, a document acknowledging that the covered entity did not fully comply with all the requirements of the Cybersecurity Regulation. This acknowledgment would have to identify all the provisions of the regulations that the entity has not complied with, the nature and extent of such noncompliance, and all areas, systems, and processes that require material improvement, updating, or redesign.
Changes to Safeguards Requirements
The Proposed Amendments add or change requirements related to various administrative and technical safeguards to protect sensitive data and systems, including in these areas:
- Privileged Access Management. The Proposed Amendments include several new requirements related to privileged accounts (as described above), including to secure such accounts with multifactor authentication (MFA), limit the number and use of privileged accounts, periodically review privileged accounts and remove unnecessary privileges, and employ a privileged access management system. The Proposed Amendments also include several additional requirements for access controls more generally, such as to adopt a written password policy.
- Risk Assessments. The requirement to conduct a risk assessment is fundamental to the Cybersecurity Regulation, as covered entities must implement various other requirements based on the outcomes of their risk assessments. The Proposed Regulations provide more detail on what the risk assessment must consider, including threat and vulnerability analyses. Risk assessments would need to be reviewed at least annually or whenever there was a change to a covered entity's business or technology that caused a material change to the entity's cybersecurity risk. As stated above, Class A companies would have to use external experts to conduct a risk assessment at least once every three years. Additionally, the CISO would be required to report on the entity's risk assessment to the board of directors.
- Remote Access and MFA. Remote access and MFA have been significant areas of focus for NYDFS, including in various enforcement actions and its December 2021 guidance. The Proposed Amendments would require all remote access—both to the covered entity's systems and to third-party applications—to be secured with MFA.
- Vulnerability Management and Penetration Testing. The Proposed Amendments would require cybersecurity programs to include written policies and procedures for vulnerability management, annual internal and external penetration testing, and periodic automated vulnerability scanning. Covered entities would need to maintain processes to be promptly informed of new vulnerabilities, to timely remediate vulnerabilities, and to document and report to the board and senior management material issues discovered during scanning and testing.
- Asset Inventories. Under the Proposed Amendments, covered entities would be required to develop and maintain asset inventories. For each asset, the inventory would need to track owner, location, classification or sensitivity, support expiration date, and recovery time requirements.
- Business Continuity and Disaster Recovery. The Proposed Amendments add significant requirements for developing and maintaining a business continuity and disaster recovery (BCDR) plan that identifies critical systems, data, and operations, requires routine backups of critical systems and data, and includes backup and recovery procedures in the event of a disaster, cyberattack, or other event. The covered entity must distribute the BCDR plan to all employees necessary to implement the plan and must train those employees on their roles and responsibilities. Covered entities must annually test their BCDR planning and ability to restore systems from backups.
- Incident Response. The current Cybersecurity Regulation requires covered entities to maintain an incident response plan. Under the Proposed Amendments, which address incident response planning and BCDR planning in the same section, covered entities must distribute their incident response plans to all necessary employees, train them on the plan, and test the plan annually. The incident response plan must address different types of cybersecurity events, including ransomware attacks.
Violations and Penalties
The Proposed Amendments clarify that the failure to secure or prevent unauthorized access to an individual's or an entity's nonpublic information due to noncompliance with any section of the regulations or the failure to comply for any 24-hour period with any section or subsection of the regulations constitutes a violation. The Proposed Amendments also specify the factors that the NYDFS would be required to consider when assessing penalties for violations, such as the extent to which the covered entity cooperated with NYDFS in its investigation, good faith of the covered entity, and whether the violations resulted from conduct that was unintentional or inadvertent, reckless, or intentional or deliberate.
The Proposed Amendments significantly expand the already-extensive Cybersecurity Regulation and demonstrate NYDFS's goal of having all covered entities address cybersecurity issues at the highest levels of management. DWT's Privacy and Security team advises institutions on compliance with the NYDFS Cybersecurity Regulations and will continue to monitor developments relating to these Proposed Amendments.