New York Department Of Financial Services Proposes Significant Changes To Its Cybersecurity Regulation – Security – United States – Mondaq




On November 9, 2022, the New York Department of Financial Services (the NYDFS) released proposed amendments (the Proposed Amendments) to Cybersecurity Regulation, Part 500 of Title 23 of the New York Codes, Rules, and Regulations (Part 500). Part 500, often referred to as a “first-in-the-nation” cybersecurity regulation, requires financial institutions subject to NYDFS jurisdiction (covered entities1) to establish and maintain certain comprehensive and rigorous cybersecurity standards to protect nonpublic information (NPI) within their control. The Proposed Amendments would substantially expand the scope of Part 500 by, among other things, designating a class of entities subject to heightened cybersecurity requirements, mandating new reporting obligations—including an obligation to notify the NYDFS within 24 hours of a cyber ransom payment, expanding the requirements for what must be contained in a covered entity's cybersecurity policies and procedures, and broadening senior management personnel's governance and oversight responsibilities.
While the majority of the Proposed Amendments would take effect 180 days from the date of adoption, certain other provisions would take place at various points over the next two years, as detailed below. Comments on the Proposed Amendments are due on January 9, 2023.
Covered entities are currently required to notify the NYDFS within 72 hours of any cybersecurity event that either (1) requires notice to a supervisory body or (2) has a reasonable likelihood of materially harming any material part of a company's normal operations. The Proposed Amendments would additionally require:
Moreover, within 90 days of a cybersecurity event, covered entities would need to provide the NYDFS any information requested regarding the investigation of the cybersecurity event and would have a continuing obligation to update and supplement the information provided. Covered entities would also be required to provide to the NYDFS, within 30 days of any extortion payment made in connection with a cybersecurity event involving the covered entity:
Effectively, covered entities have an obligation to report some ransomware incidents when such incidents have a reasonable likelihood of “materially harming a material part of a company's normal operations.” The Proposed Amendments, however, would make this duty explicit and broader by requiring covered entities to notify the NYDS whenever ransomware has been deployed within a material part of a company's information system (thus harm is not a factor—scope of the ransomware deployment is). These expanded requirements would formalize some of the principles articulated in the NYDFS' 2021 guidance on ransomware prevention, which urged covered entities to implement various cybersecurity safeguards, such as an incident response plan specifically addressing ransomware incidents.
Part 500 currently obligates each covered entity to submit an annual certification of compliance to its board of directors or equivalent governing body (or if none, a senior officer responsible for the covered entity's cybersecurity program). Under the Proposed Amendments, the certification of compliance would have to be based on data and documentation sufficient to accurately determine full compliance, and be signed by the company's highest-ranking executive and Chief Information Security Officer (CISO) (or absent a CISO, the highest-ranking executive and senior officer responsible for the cybersecurity program of the covered entity).
Covered entities would also have the option to issue a written acknowledgment in lieu of a certification; such acknowledgment would state that the covered entity did not fully comply with all requirements of Part 500. This acknowledgment would need to, among other things, provide remediation plans and a timeline for their implementation, and identify all sections of Part 500 with which the entity did not fully comply, along with the nature and extent of such noncompliance. The acknowledgement would need to be signed by the highest-ranking executive and CISO, or, if there is no CISO, the senior officer responsible for the cybersecurity program of the covered entity. Like the requirement for the annual certification, covered entities would be obligated to maintain all records and documentation relating to the acknowledgment of noncompliance, including all remedial efforts undertaken to address any areas, systems and processes that required material improvement, updating or redesign.
The Proposed Amendments would create a new category of “Class A” companies, the members of which would be covered entities that, together with their affiliates, have at least $20,000,000 in gross annual revenue in each of the last two fiscal years and (1) more than 2,000 employees averaged over the last two fiscal years or (2) averaged more than $1,000,000,000 in gross annual revenue in each of the last two fiscal years. Class A companies would be subject to certain heightened requirements, including the obligation to:
Senior governing bodies (i.e., the covered entity's board of directors (or an appropriate committee thereof) or equivalent governing body, or, if neither of those exist, the senior officer of the covered entity responsible for the covered entity's cybersecurity program), the CISO, and highest-ranking executive would be vested with broad governance and oversight duties under the Proposed Amendments. For example, under the Proposed Amendments:
The Proposed Amendments also make clear that the CISO would need to include—instead of simply “consider” (as Part 500 currently provides)—certain items in the CISO's annual report (to the extent applicable), such as the confidentiality of NPI and the integrity and security of the covered entity's information systems. These increased oversight and governance obligations would, taken together, empower senior officials with more autonomy to continually shape a covered entity's cybersecurity compliance program at all levels.
The Proposed Amendments would create new requirements with respect to written cybersecurity policies and procedures. In particular, a covered entity's policies and procedures would need to:
The Proposed Amendments would supplement existing requirements for covered entities to implement incident response plans with obligations to have written plans for business continuity and disaster recovery (BCDR). These BCDR plans, at a minimum, would need to:
Under the Proposed Amendments, a covered entity's incident response plans would need to address different types of cybersecurity events, including disruptive events such as ransomware incidents. The incident response and BCDR plans would need to be periodically tested by all staff critical to the response, and revised accordingly based on such tests. Moreover, each covered entity would be required to ensure the current copies of the plans or relevant portions therein are distributed or otherwise accessible to all employees necessary to implement such plans. All personnel involved in the implementation of these plans would be required to receive appropriate training as well. Further, each covered entity would need to maintain backups that are adequately protected from unauthorized alterations or destruction.
These new requirements reflect the NYDFS' focus on ensuring covered entities' senior personnel are closely involved with incident response planning. This approach was reaffirmed in the NYDFS' ransomware guidance discussed above, which provides that “decision makers such as the CEO should not be testing the incident response plan for the first time during a ransomware incident.” Like the enhanced requirements regarding policies and procedures, these additional prescriptive operational resilience obligations would encourage a more sophisticated and flexible approach to responding to cybersecurity incidents that takes into account the various ways in which cybersecurity systems can be compromised.
The Proposed Amendments would expand the definition of “risk assessment” to apply to the process of identifying cybersecurity risks to organizational operations, organizational assets, individuals, customers, consumers, other organizations, and critical infrastructure resulting from the operation of the information system. Under the Proposed Amendments, risk assessments would need to:
Rather than obligate covered entities to implement a cybersecurity program that includes monitoring and testing developed in accordance with their risk assessment, the Proposed Amendments would broadly mandate that covered entities develop and implement written policies and procedures for vulnerability management that are designed to assess the effectiveness of its cybersecurity program. These policies and procedures would need to ensure that covered entities:
These proposed requirements underscore the NYDFS' objective of ensuring covered entities do not allow their risk and vulnerability assessments to become stale so that they are adequately prepared to address new and emerging cybersecurity threats. In this respect, these expanded requirements would be consistent with the expanded risk assessment requirements contained in the amendments3 issued this past fall by the FTC to the 2002 Gramm-Leach-Bliley Act (GLBA) Standards for Safeguarding Customer Information (known as the Safeguards Rule). The Safeguards Rule, as amended, obligates regulated financial institutions to perform additional risk assessments that reexamine the reasonably foreseeable internal and external risks to customer information that could result in the compromise of such information.
The Proposed Amendments would impose numerous new obligations with respect to other cybersecurity controls as well, namely that a company must, based on its risk assessment:
The Proposed Amendments would also obligate covered entities to implement a written password policy (to the extent passwords are employed as a method of authentication) that meets industry standards, and implement written policies and procedures designed to ensure a complete, accurate, and documented asset inventory, which would need to include, at a minimum, a method to track key information for each asset (e.g., owner, location, classification or sensitivity), and the frequency required to update and validate the covered entity's asset inventory.
Except where reasonably equivalent or more secure compensating controls have been implemented and approved by the CISO in writing, multi-factor authentication would also need to be utilized for remote access to the covered entity's information systems, remote access to third-party applications from which NPI is accessible, and all privileged accounts. Moreover, covered entities would need to implement controls that protect against malicious code, including those that monitor and filter web traffic and emails to block malicious content as well as provide periodic, but at a minimum annual, cybersecurity training programs that include social engineering exercises.
The Proposed Amendments would add specificity on what constitutes a Part 500 violation. In particular, a violation would be defined as committing a single act prohibited by Part 500 or the failure to act to satisfy an obligation. Acts or failures would include, but not be limited to:
The Proposed Amendments also describe certain factors that would mitigate any potential penalty levied for a violation of Part 500, such as (1) the extent to which the covered entity has cooperated with the superintendent in the investigation of such acts, (2) the good faith of the entity, and (3) whether the violations resulted from conduct that was unintentional or inadvertent, reckless, or intentional and deliberate.
The Proposed Amendments would broaden the small company exemption applicable to certain provisions of Part 500 to capture those covered entities that have (1) fewer than 20 (instead of 10) employees and independent contractors or (2) less than $15,000,000 (instead of $10,000,000) in year-end total assets. The Proposed Amendments would also exempt certain individual insurance brokers and agents.
The majority of the Proposed Amendments would take effect 180 days from the date of adoption. However, certain provisions would include different transitional periods:
Several provisions would take effect immediately upon adoption as well, such as the insurance broker exemption, violation provisions, and exemption from electronic filing and submission requirements.
The Proposed Amendments reflect the NYDFS' concerns about an increasingly volatile cyber threat landscape, one which poses unique threats to financial institutions. In proposing to significantly expand Part 500, the NYDFS has indicated it intends to continue being at the forefront of the development of cybersecurity regulation. Many covered entities may already be implementing certain of the data security measures mandated by the Proposed Amendments, but there may be ways in which the NYDFS could moderate the requirements to accommodate covered entities' constraints. There is sufficient time to suggest changes to the Proposed Amendments through comments filed with the NYDFS. Arnold & Porter regularly assists clients with comments on proposed rules such as these, and we are available to consult about drafting comments that would be valuable contributions to the NYDFS in finalizing rules based on the Proposed Amendments.
1 “Covered Entity” is defined in Part 500 as any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law. (NY Comp. Codes R. & Regs. Tit. 23 § 500.01(c))
2 The Proposed Amendments would narrow the definition of “third party service provider” to exclude governmental entities.
3 You can read more about the amended Safeguards Rule in Arnold & Porter's Advisory (Nov. 29, 2021).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
  © Mondaq® Ltd 1994 – 2022. All Rights Reserved.

Passwords are Case Sensitive

Forgot your password?
Free, unlimited access to more than half a million articles (one-article limit removed) from the diverse perspectives of 5,000 leading law, accountancy and advisory firms
Articles tailored to your interests and optional alerts about important changes
Receive priority invitations to relevant webinars and events
You’ll only need to do it once, and readership information is just for authors and is never sold to third parties.
We need this to enable us to match you with other users from the same organisation. It is also part of the information that we share to our content providers (“Contributors”) who contribute Content for free for your use.
Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

source


CyberTelugu

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top

Adblock Detected

Please consider supporting us by disabling your ad blocker

Refresh Page