NYDFS Proposed Amendments to the Part 500 Cybersecurity Rule – The National Law Review

On November 9, 2022, the New York Department of Financial Services (NYDFS) released its second, proposed amendments to the Part 500 Cybersecurity Rule. The proposed amendments revise several aspects of the draft Cybersecurity Rule amendments released on July 29, 2022. These changes reflect several comments made in response to the draft Cybersecurity Rule to further clarify, strengthen and clarify various requirements, as highlighted below.
The following are some of the key changes in the proposed amendments:
The proposed amendments provides three new cybersecurity events that Covered Entities  must report to NYDFS via the NYDFS online cybersecurity portal within 72 hours:
Unauthorized access to privileged accounts;
Deployment of ransomware within a material part of the Covered Entity’s systems; and
Any cybersecurity event that affects a third-party service provider that also affects the covered entity.
Additionally, Covered Entities must provide NYDFS with any additional information requested by NYDFS related to the investigation of a cybersecurity event within 90 days of notice. The Covered Entity must also provide continuous updates and any supplementary information related to the investigation.
The proposed amendments provide a new notification requirement for ransomware payments. If a Covered Entity makes a ransomware payment, the Covered Entity is required to notify NYDFS within 24 hours of payment. When notifying NYDFS,  a Covered Entity who makes a ransomware payment must also provide a written description of the payment within 30 days, describing why payment was necessary, what alternatives were available and all related diligence performed to ensure compliance with any applicable laws and regulations.
The proposed amendments now define Class A companies as Covered Entities with at least $20 billion in gross annual revenue in-state in each of the past two fiscal years from business operations of the Covered Entity and its affiliates, and either: (1) possess more than 2,000 employees over the past two fiscal years, regardless of location, including those of both the Covered Entity and all of its affiliates, or (2) possess more than $1 billion in gross annual revenue in each of the past two fiscal years from all business operations of the Covered Entity and all of its affiliates. A Covered Entity who qualifies as a Class A company will also be subject to several additional compliance requirements under the proposed amendments, including an independent audit of at least annually by external auditor, the use of external experts to conduct risk assessments at least once every three years and implementation of an endpoint detection and response solution.
The proposed amendments make significant changes to the technical requirements of the Cybersecurity Rule. Some of these changes include:
Covered Entities must conduct penetration testing of their systems, internally and externally, by a qualified internal or external independent party at least annually.
Covered Entities must have a monitoring process that ensures prompt notification of any new security vulnerabilities.
Covered Entities must possess written policies and procedures for vulnerability management, mandate automated scans of systems and manually review systems not covered by these scans as frequently as determined by the risk assessment or promptly after any major system changes.
Covered Entities must review and update their risk assessments at least annually, and whenever a significant change in business or technology causes a material change to their cyber risk.
The proposed amendments now require a Covered Entity to address new issues in their cybersecurity plans, including data retention, end of life management, remote access controls, systems monitoring, security awareness and training, application security, incident notification and vulnerability management.
The proposed amendments also require a Covered Entity to limit the number of accounts, access functions and actual use based on what is necessary for a user to perform their job. This includes a requirement that a Covered Entity periodically, or at least annually, review all user access privileges and remove or disable accounts that are no longer necessary (i.e., prompt termination of systems access following an employee’s departure).
The proposed amendments provide a new certification requirement that requires a Covered Entity to have their highest-ranking executive and CISO (or senior cybersecurity officer) sign an annual certification of compliance to NYDFS Part 500.
The proposed amendments now require a Covered Entity to provide relevant training on its incident response plan and its business continuity and disaster recovery plan to all employees necessary to implement such plans. These plans must be tested at least annually, and must be distributed and accessible to relevant employees.
The proposed amendments require a Covered Entity to use multifactor authentication (MFA) for all remote access to systems, third-party applications and all privileged accounts. Alternatively, the CISO can approve the use of reasonably equivalent or more secured controls to replace MFA, in writing, which must be reviewed periodically and at least annually by the CISO.
The proposed amendments require a senior governing body to approve a Covered Entity’s cybersecurity policies and procedures for the protection of its systems and nonpublic information stored in systems, at least annually.
The proposed amendments also provide several requirements for CISOs, and provide them with the adequate authority to “ensure cybersecurity risks are appropriately managed.” Some of these requirements include timely reporting to the senior governing body regarding material cybersecurity issues (i.e., major cybersecurity events or updates regarding risk assessments) and reporting plans of remediation to address material inadequacies.
The proposed amendments also require a Covered Entity’s board of directors or equivalent (i.e., an appropriate committee of the board) to exercise oversight of cybersecurity risk management, including developing, implementing and maintaining cybersecurity programs. The board of directors or equivalent must possess sufficient expertise or knowledge, or be advised by persons with sufficient expertise or knowledge, to exercise oversight of cybersecurity risk management.
The 60-day public comment period to the proposed amendments ends on January 9, 2023, and members of the public are invited to submit comments here.
About this Author
In today’s digital economy, companies face unprecedented challenges in managing privacy and cybersecurity risks associated with the collection, use and disclosure of personal information about their customers and employees. The complex framework of global legal requirements impacting the collection, use and disclosure of personal information makes it imperative that modern businesses have a sophisticated understanding of the issues if they want to effectively compete in today’s economy.
Hunton Andrews Kurth LLP’s privacy and cybersecurity practice helps companies manage data and…
As a woman owned company, The National Law Review is a certified member of the Women's Business Enterprise National Council
You are responsible for reading, understanding and agreeing to the National Law Review’s (NLR’s) and the National Law Forum LLC’s  Terms of Use and Privacy Policy before using the National Law Review website. The National Law Review is a free to use, no-log in database of legal and business articles. The content and links on www.NatLawReview.com are intended for general information purposes only. Any legal analysis, legislative updates or other content and links should not be construed as legal or professional advice or a substitute for such advice. No attorney-client or confidential relationship is formed by the transmission of information between you and the National Law Review website or any of the law firms, attorneys or other professionals or organizations who include content on the National Law Review website. If you require legal or professional advice, kindly contact an attorney or other suitable professional advisor.  
Some states have laws and ethical rules regarding solicitation and advertisement practices by attorneys and/or other professionals. The National Law Review is not a law firm nor is www.NatLawReview.com  intended to be  a referral service for attorneys and/or other professionals. The NLR does not wish, nor does it intend, to solicit the business of anyone or to refer anyone to an attorney or other professional.  NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us. 
Under certain state laws the following statements may be required on this website and we have included them in order to be in full compliance with these rules. The choice of a lawyer or other professional is an important decision and should not be based solely upon advertisements. Attorney Advertising Notice: Prior results do not guarantee a similar outcome. Statement in compliance with Texas Rules of Professional Conduct. Unless otherwise noted, attorneys are not certified by the Texas Board of Legal Specialization, nor can NLR attest to the accuracy of any notation of Legal Specialization or other Professional Credentials.
The National Law Review – National Law Forum LLC 3 Grant Square #141 Hinsdale, IL 60521  Telephone  (708) 357-3317 or toll free (877) 357-3317.  If you would ike to contact us via email please click here.



Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top

Adblock Detected

Please consider supporting us by disabling your ad blocker

Refresh Page