Review your content’s performance and reach.
Become your target audience’s go-to resource for today’s hottest topics.
Understand your clients’ strategies and the most pressing issues they are facing.
Keep a step ahead of your key competitors and benchmark against them.
add to folder:
Questions? Please contact [email protected]
On Nov. 9, 2022, the New York Department of Financial Services (“NYDFS”) published a proposed amendment (“Proposed Amendment”) to its 2017 cybersecurity regulation (“Part 500”), which requires certain NYDFS-regulated financial services companies to, among other things, safeguard consumer data and adopt and implement a cybersecurity program. The Proposed Amendment is subject to a 60-day notice and comment period, which will be open until Jan. 9, 2023. Based on NYDFS’ review of any comments received, NYDFS will either propose further revisions to the Proposed Amendment or adopt the final regulation.
The Proposed Amendment is the NYDFS’ second rulemaking in its effort to amend Part 500, and follows NYDFS’ Pre-Proposed Amendment, which was published on July 29, 2022 (the “Pre-Proposed Amendment”). The Proposed Amendment generally maintains most of the material changes reflected in the Pre-Proposed Amendment, as well as imposing certain additional regulatory burdens. Key changes in the Proposed Amendment include: (1) a revised definition of “Class A companies” that is narrower than the definition included in the Pre-Proposed Amendment, so that only entities with large New York operations are subject to the heightened requirements applicable to such companies; (2) requiring increased accountability for cybersecurity governance at the board of directors and C-suite levels; (3) allowing more risk-based controls to prevent initial unauthorized systems access and the spread of a cyberattack than those included in the Pre-Proposed Amendment, such as allowing the Chief Information Security Officer (“CISO”) to authorize reasonable alternatives to NYDFS-prescribed multi-factor authentication requirements; (4) putting in place additional requirements to those included in the Pre-Proposed Amendment for incident response, business continuity and disaster recovery testing and training; (5) adding further NYDFS reporting requirements to those included in the Pre-Proposed Amendment; and (6) proposing different implementation periods for certain requirements as compared with the Pre-Proposed Amendment. Each of these key changes is discussed in turn below.
1. Class A Companies
2. Increased Accountability for Cybersecurity at the Leadership Level
3. Risk-Based Controls to Prevent Unauthorized Systems Access and the Spread of a Cyberattack
4. Enhanced Requirements for Vulnerability Management, Penetration Testing and Incident Response, Business Continuity, and Disaster Recovery Testing and Training
5. Additional Reporting Requirements
Part 500 currently only requires reporting to NYDFS cybersecurity events that have a material likelihood of harming the covered entity’s operations. The Pre-Proposed Amendment added additional requirements for covered entities to notify NYDFS within 72 hours of any cybersecurity event in which an unauthorized user has gained access to a privileged account or any cybersecurity event in which ransomware was deployed within a material part of such covered entity’s systems, as well as within 24 hours of any extortion payment made in connection with a cybersecurity event. Documentation regarding the covered entity’s investigation of a reportable cybersecurity event must be provided to the NYDFS electronically within 90 days of such covered entity’s initial report of the event to the NYDFS. The Proposed Amendment, in turn, preserves these requirements and adds to them a new requirement that covered entities notify NYDFS within 72 hours of becoming aware of a cybersecurity event at a third-party service provider if it affects the covered entity.
6. Revised Transitional Implementation Periods for Certain Technical Requirements
Although the NYDFS rulemaking would generally become effective 180 days from the date of publication of the Notice of Adoption in the State Register (“Effective Date”), the Proposed Amendment establishes different timelines for compliance with certain requirements proposed therein. For example, covered entities would have (i) 30 days from the Effective Date to comply with the new NYDFS notice requirements; (ii) one year from the Effective Date to comply with the Proposed Amendment’s data backup requirements; (iii) 18 months from the Effective Date to comply with the new requirement to conduct automated or manual scans of information systems as set forth in the Proposed Amendment; and (iv) two years from the Effective Date to comply with the requirement that covered entities implement written policies and procedures designed to ensure a complete, accurate and documented asset inventory.
If adopted as a final rule, coming into compliance with the Proposed Amendment is likely to require substantial time, effort and resources for covered entities, especially in light of the NYDFS’ 180-day implementation period.
Firms that are subject to Part 500 may wish to comment on aspects of the Proposed Amendment that they believe, for example, would be unduly burdensome or do not sufficiently reflect the operational considerations faced by industry members. They should also consider instances where they believe exemptions or exceptions should apply. Firms may also wish to seek clarification on how the Proposed Amendment would impact other areas of compliance. Comments on the Proposed Amendment must be submitted to the NYDFS before Jan. 9, 2023.
add to folder:
If you would like to learn how Lexology can drive your content marketing strategy forward, please email [email protected].
© Copyright 2006 – 2022 Law Business Research