The last edition focused on developing disclosure rules regarding climate change risk and investments and how regulators and shareholders are responding to the growing body of disclosure requirements. These new disclosure rules have wide-ranging implications for the industry and have proven to be an increasing source of potential liability.
This month, we examine the draft amendments to the Part 500 Cybersecurity Rules proposed by the New York Department of Financial Services (the “NYDFS”) on July 29, 2022. The amendments include significant changes relating to governance, technology, risk assessments, notifications, and penalties. Here we provide a high-level overview of the proposed changes, with a focus on the aspects of the amendments most critical to general counsel, other C-suite executives and board members so that they both can understand the impact of the new amendments and decide whether their respective companies should comment.
There will be a very short pre-proposal comment period (ending August 18, 2022), followed by the publishing of the official proposed amendments in the coming weeks, which will start a 60-day comment period.
In 2017, the New York Department of Financial Services published Part 500, the Cybersecurity Rule. The rule was one of the very first regulations focusing on cybersecurity and laid out distinct governance, technology and regulatory notification requirements for covered entities and their vendors. It was also one of the first cybersecurity rules requiring an annual certification of compliance.
The 2017 regulation was a risk-based regulation, allowing companies to largely tailor their program to the risks they faced. The regulation did not start out as risk-based. NYDFS issued an initial draft and made great effort to interact with the industry to shape the regulation to something very workable. The final version was hailed as a meaningful but reasonable law that served as a model for cybersecurity regulation for many other agencies, and the most current version of the regulation has a number of governance provisions. For example, each covered entity must have a cybersecurity program, the board of directors must receive a yearly report about the cyber program, a senior executive must be responsible for the cyber program and a senior executive must sign the yearly certification of compliance with the regulation.
Importantly, the proposed amendments contain significant new governance obligations that the general counsel, C-suite and board should consider and that we outline below.
General counsel may also want to focus on the significant new requirements for risk assessment, which provide that they must be tailored to the company in light of its size, staffing, governance, services, products, vendors, locations and other factors. They also need to include a threat and vulnerability analysis. Many companies now work with outside counsel and external consultants to conduct risk assessments. In doing so, the companies are able to gain a comprehensive benchmarking of the program, a summary of which can be very helpful to the board of directors. Additionally, by including counsel, the technical results of the consultant review can be mapped to regulations such as Part 500 and others.
The proposed amendments to Part 500 include many changes that may require the general counsel's attention. In addition to the above, there are new requirements for large companies, which can include smaller covered entities with large affiliates. Given the NYDFS's history of working with industry to improve Part 500, there is every reason to think that submitting comments to the Department during the comment periods can be fruitful.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
© Mondaq® Ltd 1994 – 2022. All Rights Reserved.
Forgot your password?
Free, unlimited access to more than half a million articles (one-article limit removed) from the diverse perspectives of 5,000 leading law, accountancy and advisory firms
Articles tailored to your interests and optional alerts about important changes
Receive priority invitations to relevant webinars and events
You’ll only need to do it once, and readership information is just for authors and is never sold to third parties.
We need this to enable us to match you with other users from the same organisation. It is also part of the information that we share to our content providers (“Contributors”) who contribute Content for free for your use.