On July 29, 2022, the New York Department of Financial Services (NYDFS) announced a “pre-proposed outreach” of material proposed changes to almost every section of its cybersecurity regulations, and would affect each entity covered by the current regulations of 23 NYCRR Part 500. Because this version is the “preposed” copy of the changes, there is only a brief comment period, with comments due by August 18, 2022. NYDFS will release the official proposed changes at a later date, and they will be subject to the usual 60-day comment period.
The proposed changes mark a turn by NYDFS toward more specific, granular and prescriptive requirements notably with respect to governance, risk assessments and asset inventories (detailed below).
Some of the proposed amendments create new requirements applicable only to covered entities with over 2,000 employees or over $1 billion in gross annual revenues averaged over the last three years, defined as “Class A Companies.” These include requirements to:
- implement an endpoint detection and response solution to monitor anomalous activity;
- conduct vulnerability assessments at least weekly; and
- conduct an independent audit or their cybersecurity program at least annually.
The Proposed Regulation Changes
- Independence of CISO: The company’s CISO, or designated qualified individual responsible for overseeing and implementing the company’s cybersecurity program, is required to have adequate independence and authority to ensure cybersecurity risks are appropriately managed. (500.2)
- Increased Board Reporting: In addition to the existing obligation of the CISO reporting to the company’s board (or equivalent) annually on the company’s cybersecurity program and material cybersecurity risks, the draft amendments would add requirements to report on plans for remediating inadequacies identified in the cybersecurity program and provide timely reports regarding material cybersecurity issues, such as updates to the risk assessment or major cyber events. (§500.4)
- Board Cyber Expertise: The company’s board (or appropriate committee of the board) is required to have sufficient expertise and knowledge, or be advised by persons with sufficient expertise and knowledge, to exercise effective oversight of cyber risk and a committee or subcommittee assigned responsibility for cybersecurity (the SEC has imposed a similar requirement). (500.4)
- BCDR and Incident Plans: The draft amendments flesh out additional requirements for business continuity and disaster recovery plans, including identifying documents, personnel, facilities, and competencies essential to continued operations, supervisory personnel responsible for implementing each aspect of the plans, communications plans, and maintenance processes for backup facilities. The draft amendments would also require that relevant employees be trained for their implementation. Covered entities must also periodically test their incident response plans (including “disruptive events such as ransomware,” which NYDFS specifically would require) and their ability to restore systems from backups. Companies would need to maintain backups that are isolated from network connections. (500.16)
- Annual certification signed by CEO and CISO: The covered entity’s annual certification of compliance would need to be signed by the CEO and CISO (or by the senior officer responsible for the cybersecurity program if the entity does not have an internal CISO).
- New annual certification of non-compliance: The draft amendments now provide for a certification of non-compliance that describes the nature and extent of such noncompliance and identifies all areas, systems, and processes that require material improvement, updating or redesign. The certification would also need to include the identification of, and the remedial efforts planned and underway to address, any noncompliance, as well as a timeline for implementation of those remedial efforts. (500.17)
Cybersecurity Risk Assessments
- Risk assessment geared to the specific covered entity: The proposed definition of Risk Assessment is more prescriptive, detailing that it must identify cybersecurity risks to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, customers, consumers, other organizations, and critical infrastructure resulting from the operation of an information system. The risk assessment would also need to take into account the specific circumstances of the covered entity, including but not limited to its size, staffing, governance, businesses, services, products, operations, customers, counterparties, service providers, vendors, other relations and their locations, as well as the geographies and locations of its operations and business relations. The risk assessments would be required to incorporate threat and vulnerability analyses, and consider mitigations provided by security controls planned or in place. (§500.1)
- Annual Updating of Risk Assessment: The proposed regulations would require annual updating of risk assessments, and would also require impact assessments be conducted whenever a change in business or technology causes a material change to the company’s cyber risk. (§500.9)
Asset inventories and Access Controls
- Asset Inventory: Covered entities would be required to implement policies and procedures to ensure a complete, accurate and documented asset inventory including all information systems and their components, such as hardware, operating systems, applications, infrastructure devices, APIs and cloud services.. Inventory would need to track key information for each asset across various attributes including the asset’s owner, location, classification or sensitivity, support expiration date, and recovery time requirements. The proposed changes would further require the documented asset inventory to include the frequency required to update and validate the covered entity’s asset inventory. (§500.13)
- Access Controls: The new amendments would require companies to limit the number of privileged accounts and the access functions of privileged accounts to only those necessary to perform the user’s job, conduct periodic user access reviews, and disable or securely configure all protocols that permit remote control of devices. To the extent passwords are employed as a method of authentication, the proposed changes would require the covered entity to ensure strong, unique passwords are used. (500.7)
Notifications to DFS
- Cybersecurity Event Notification Would Expand. The proposed amendments would also expand cybersecurity event notification to include notice within 72 hours to NYDFS for unauthorized access to “privileged accounts” or deployment of ransomware within a material part of the covered entity’s information systems. (500.17)
- Extortion Payments. The proposed amendments would require that a covered entity notify NYDFS within 24 hours of any extortion payment connected to a cybersecurity event, with notice of the payment. In addition, within 30 days of the payment, a written description of the reasons payment was necessary, the alternatives to payment considered, diligence performed to find alternatives to payment, and diligence performed for compliance with application regulations, including the Office of Foreign Assets Control. (500.17)
Penalties for Single Failures
The proposed regulations would permit NYDFS to take into account specific factors in assessing a penalty for the “commission of a single act prohibited by this Part or the failure to act to satisfy an obligation required by this Part,” including failure to prevent unauthorized access due to noncompliance or failure to comply with any subsection for 24 hours. (§500.20)
New Requirements for Larger Entities (Class A Companies)
While most of the new requirements would apply to all DFS-regulated entities, others would apply only to a newly created category of larger entities called “Class A Companies,” which are covered entities with over 2,000 employees (wherever located, including affiliates) or over $1 billion in gross annual revenues (averaged over the last three years from all business operations of the covered entity and its affiliates). (§500.1) These Class A Companies would be obligated to:
- Conduct an annual independent audit of their cybersecurity programs, not influenced by the covered entities being audited or by its owners, managers, and employees. This audit can be conducted by auditors internal or external to the covered entity and its affiliates (500.2);
- Use external experts to conduct a risk assessment at least once every three years (500.9);
- Implement an endpoint detection and response solution to monitor anomalous activity and a solution that centralizes logging and security event alerting, unless the CISO has approved in writing the use of reasonably equivalent or more secure controls or tools (500.14);
- Conduct vulnerability assessments at least weekly (500.5); and
- Monitor privileged access activity and implement a password vaulting solution for privileged accounts and an automated method for blocking commonly used passwords, unless the CISO approves in writing the use of reasonably equivalent or more secure access controls (500.7).
These proposed changes would require significant time and resources for most covered entities to become compliant, and will require increased oversight by executive management and the board. In addition, the enhanced technology, risk assessment, and asset inventory changes will likely require covered entities with multiple business units (not all of which are subject to NYDFS regulations) to comply with the cybersecurity regulations at the enterprise level.
The proposed changes also create ambiguity on issues necessary to satisfy the new requirements, such as determining whether the CISO has sufficient independence and what constitutes a “material change” to the covered entity’s cyber risk that would require an impact assessment. Financial institutions should consider submitting comments directly, or working with industry associations, to provide comments to the NYDFS during the initial comment period. Nonetheless, with the draft amendments expected to take effect in 2023, companies should begin planning and budgeting for the new requirements now, as it is likely many of these changes will be adopted.