The New York Department of Financial Services (NYDFS) presented new amendments last month to help “ratchet up” its cybersecurity requirements for financial institutions headquartered in the state, signaling potential heightened regulations for all U.S. banks.
New York has long been a pacesetter in terms of “codifying” cybersecurity and other regulatory rules for financial institutions. Even going back to 2015, New York state has taken a leading role in setting cybersecurity regulations and guidance for financial institutions. In 2017, the NYDFS took a “catalytic” role in settling cybersecurity rules and guidance.
“The cybersecurity landscape has evolved in the past five years, and the Draft Amendments demonstrate that DFS continues to take a forward-leaning role in strengthening cybersecurity practices,” according to a blog post on the Gibson Dunn website.
The recent NYDFS proposals increased expectations for senior leaders, heightened technology requirements, an expanded set of events covered under the mandatory 72-hour notification requirements, a new 24-hour reporting requirement for ransom payments and a 30-day submission of defenses, significant new requirements for business continuity and disaster recovery, and heightened annual certification and assessment requirements.
Also, the amended regulations would propose a new class comprising larger entities, which will be subject to increased obligations for their cybersecurity programs. Even the definition of a “cybersecurity program” has been expanded to include coverage of nonpublic information stored on those information systems — a substantial increase in covered information that will have significant downstream effects on reporting and certification requirements.
Here are some key provisions of the NYDFS amendments:
The draft amendments establish additional requirements on top of DFS’s existing 72-hour notification requirements, including:
Requiring notification to DFS within 72 hours of unauthorized access to privileged accounts or the deployment of ransomware within a material part of the company’s information systems. These are in addition to the existing requirements to notify DFS within 72 hours of any cybersecurity events that require notice to a supervisory body or that have a reasonable likelihood of materially harming a material part of the company’s normal operations. Notably, these newly proposed requirements would significantly lower the notification threshold, as they could be triggered before any sign of actual data compromise or exfiltration.
A new 24-hour notification obligation in the event a ransom payment is made, and a 30-day requirement to provide a written description of why the payment was necessary, alternatives to payment that were considered, and all sanctions diligence conducted.
Adhering to the mantra “with great data comes great responsibility,” the draft amendments also increase cybersecurity obligations for a newly defined class of larger entities, which are under DFS’s authority. These “Class A” companies are defined as entities with over 2,000 employees or over $1 billion in gross annual revenue average over the last three years from all business operations of the company and its affiliates. Under the draft amendments, Class A companies are required to comply with heightened technical requirements as well as risk assessments and audits. They must:
The original Part 500 regulations imposed a number of new obligations on companies’ governing bodies, including the need for a chief information security officer (CISO) or equivalent personnel, detailed cybersecurity reporting to the board, and written policies approved by a senior officer. The draft amendments enhance in a very meaningful way many of the Part 500 governance requirements, further indicating how important DFS views strong governance in the quest for effective cybersecurity. The draft amendments include obligations:
The draft amendments also provide an option for covered entities to submit written acknowledgement that, for the prior calendar year, they did not fully comply with their cybersecurity obligations. Covered entities who submit this acknowledgment will be required to identify all the provisions of the compliance rules that were not followed, describe the nature and extent of the noncompliance, and identify all the areas, systems, and processes that require material improvement, updating, or redesign.
These additional reporting requirements are substantial, and would greatly increase the burden on CEOs, CISOs, and other personnel involved in the preparation of these annual certifications or acknowledgements.
The draft amendments expand measures directed at “operational resilience” beyond incident response plans, requiring covered entities to also have written plans for business continuity and disaster recovery (BCDR). Notably, the original Part 500 cybersecurity regulations were the first of its kind to stipulate detailed requirements for cybersecurity incident response plans. Again, DFS is breaking similar ground with BCDR plans, requiring proactive measures to mitigate disruptive events by, at a minimum:
Furthermore, DFS has proposed a significant revision to its requirements for incident response plans, requiring that they differentiate based on incident type (e.g., ransomware), while continuing to require that such plans address the previously enumerated areas (e.g., internal response processes; incident response plan goals; definitions of clear roles, responsibilities and levels of decision-making authority; communications and information sharing; identification of remediation requirements; documentation and reporting, etc.) as well as the newly added requirement to address recovery from backups.
Under the draft amendments, relevant personnel must receive copies of the incident response plan and BCDR plan, copies must be maintained offsite, and all personnel involved in implementation of the plans must receive appropriate training. In addition, covered entities are required to conduct incident response and BCDR exercises.
The draft amendments strengthen technical requirements and written policy requirements for covered entities, codifying certain best practices in key cyber risk areas. The draft amendments specifically:
The draft amendments also contain new measures for asset inventory and management, which may cost companies significant time and resources to implement. These measures require all covered entities to:
The draft amendments further require additional written cybersecurity policies to include procedures for end of life management, remote access, and vulnerability and patch management. Notably, despite the prominence of recent supply chain cybersecurity attacks, there are not substantive changes to the Part 500 requirements relating to third-party service providers.
The draft amendments further expand the requirements for and definition of “risk assessment” to make clear that they must be:
While DFS has not changed the core cybersecurity functions that must be covered by the risk assessment per se, covered entities will need to ensure that it covers the broadened scope of “cybersecurity program” under the draft amendments (nonpublic information stored on the covered entity’s information systems). Furthermore, another substantial proposal is the requirement that covered entities must conduct impact assessments whenever a change in the business or technology causes a material change to the covered entity’s cyber risk.
Finally, the draft amendments contain two significant clarifications regarding the enforcement of the Part 500 Cybersecurity Rules:
Facing increased breaches on its systems and among its members, the Securities and Exchange Commission (SEC) is considering how it will better handle cyber threats.
CyberScoop reports that former National Security Agency employees Ryan Adams, Marc Baier, and Daniel Gericke have been prohibited by the U.S. State Department from taking part in International Traffic in Arms Regulations activities after being involved with the United Arab Emirates’ vast surveillance operation on U.S. companies, as well as politicians, journalists, and dissidents in the UAE.
Copyright © 2022 CyberRisk Alliance, LLC All Rights Reserved This material may not be published, broadcast, rewritten or redistributed in any form without prior authorization.