On November 9, 2022, the New York Department of Financial Services (NYDFS) officially proposed changes to its cybersecurity regulation and opened a 60-day public comment period. NYDFS had issued a “pre-proposed” version of the changes in July of this year, which we had summarized here. NYDFS retained many of those earlier proposed changes, and made a few clarifications, but has made some significant changes in this version. Unless otherwise indicated, most changes would take effect 180 days from NYDFS’ adoption of the final regulations (which will be sometime after the close of the comment period on January 9, 2023, so no earlier than July 8, 2023).
Revised Definition of Class A Companies and other Key Requirements
Carrying over from the pre-proposed version, NYDFS retained the separate category of “Class A companies,” which are subject to certain additional requirements, and represent covered entities with over 2,000 employees or over $1 billion in gross annual revenues averaged over the last three years. However, NYDFS added another element to the definition of the term: “Class A companies” must also have $20 million in gross annual revenues in each of the last two fiscal years.
This new version of the proposed regulation deletes the previous requirements for Class A companies to conduct weekly vulnerability scans, as well as the requirement to use password vaulting for privileged access. Class A companies would still be required to use an automated method of blocking commonly used passwords, but if the covered entity determines that would be infeasible, the CISO may instead approve compensating controls in writing, and would need to continue to approve them at least annually. (Note that covered entities would have 18 months to implement this password-blocking requirement.) (500.7(b))
Other notable changes include the following:
- CISO. The proposed regulation removes the requirement that the CISO have independence, and instead mandates adequate authority to ensure that cybersecurity risks are appropriately managed, including the ability to direct sufficient resources to implement and maintain a cybersecurity program. (500.4(a))
- Board Expertise and Oversight. The proposed regulation still requires the company’s board (or appropriate committee of the board) to have sufficient expertise and knowledge, or be advised by persons with sufficient expertise and knowledge, to exercise effective oversight of cyber risk and a committee or subcommittee assigned responsibility for cybersecurity. The proposed regulation has added a requirement that the board also needs to provide oversight and direction to management of the covered entity’s cyber risk management program. (500.4)
- Business Continuity and Disaster Recovery. With respect to business continuity and disaster recovery (BCDR) plans, NYDFS retained many of its originally proposed changes, but added a requirement that the covered entity “ensure” that current copies of the plans are distributed or otherwise available, including during cybersecurity events, to all employees necessary to implement that plan. Covered entities would be required to test the plans (including the ability to restore from backups) on at least an annual basis (rather than “periodically”). (500.16)
- Notice of Cybersecurity Event. NYDFS retained its 72-hour notification requirement for cybersecurity events, but it would extend that requirement to include third party service provider cybersecurity events—the covered entity would have 72 hours to provide notice from the time the covered entity becomes aware of the event. NYDFS also added a proposed requirement to require covered entities to provide “any information requested regarding the investigation of the cybersecurity event” electronically in the form set forth on NYDFS’ website. The covered entity would have an ongoing obligation to update and supplement the NYDFS form. (Covered entities would have 30 days to implement these changes.) (500.17)
- Annual Certification of Compliance. The annual certification of compliance would now include a written acknowledgement that provides remediation plans and a timeline for their implementation. (500.17)
- Annual Penetration Test. The proposed regulations would require an annual penetration test from both inside and outside the covered entity’s information systems’ boundaries. (500.5)
- Vulnerability Management. Covered entities must now develop and implement written policies and procedures for vulnerability management that are designed to assess the effectiveness of their cybersecurity program. (500.5)
- Automated Scans. The proposed regulation would require automated vulnerability scans, and manual review of systems not covered by those scans. The frequency of those scans would be determined by the risk assessment. (Covered entities would have 18 months to implement this requirement.) (500.5)
These proposed changes follow a highly active pre-proposal comment period, during which industry stakeholders shared their thoughts with the NYDFS on the changes under consideration. NYDFS recognized that the implementation periods for some technical elements from the original pre-proposed version of the regulation were too aggressive and softened these requirements.
Since the NYDFS carefully considered the comments from the initial version of the proposed regulation, financial institutions should continue considering submitting comments directly, or working with industry associations, to provide comments to the NYDFS during the comment period, which ends on Monday, January 9, 2023. Nonetheless, with the draft amendments expected to take effect in 2023, companies should begin planning and budgeting for the new requirements now, as we expect that many of these changes will be adopted.