On July 29, 2022, New York’s Department of Financial Services (DFS) issued proposed amendments to its cybersecurity regulations for financial services companies (23 NYCRR 500).
The proposed changes would require companies to expand their cybersecurity programs to include business continuity and disaster recovery plans and implement certain security technologies such as multi-factor authentication. The proposal would also increase the required frequency of companies’ risk assessments and security testing. The proposed changes would also require boards of directors to get more involved in supervising cybersecurity measures, while at the same time require that CISOs be sufficiently independent.
What are the proposed changes to the New York DFS Cybersecurity Regulations?
The following provides a summary of the proposed changes to the New York DFS cybersecurity regulations:
Stricter Requirements for “Class A” Companies: The proposal introduces a new category of Class A companies that are subject to stricter requirements. Class A companies are those with more than 2,000 employees or average gross annual revenue of $1 billion. Among other requirements, Class A companies must conduct an independent audit of their cybersecurity program at least annually. Class A companies must also use “external experts” to conduct a risk assessment at least once every three years. Class A companies are required to implement endpoint monitoring and response systems, as well as centralized logging and security event alerts.
Business Continuity and Disaster Recovery Plans: The proposal would require all companies to develop business continuity and disaster recovery plans to ensure their operational resilience following a cybersecurity incident. The plans must include details on maintaining and updating backups and companies must conduct regular training on the plans.
Multi-Factor Authentication: The proposal would require all companies to implement multi-factor authentication for all “privileged accounts,” which the proposal defines as accounts that can perform security functions or otherwise materially change the company’s operations.
For Class A companies, the company must monitor access to privileged accounts. To the extent passwords are used to access privileged accounts, Class A companies must deploy a password vaulting solution and an automated method of blocking commonly used passwords.
Encryption: The proposal would require companies to have a written encryption policy, and would eliminate language from the existing regulations that gives companies the option to use an alternative to encryption to secure data in transit.
For data at rest, if the company determines that encryption is not feasible, the proposal would require the company’s CISO to make that determination in writing and require the CISO to reevaluate that decision at least annually.
E-Mail Monitoring and Phishing Training: The proposal would require companies to implement email monitoring and filtering to protect against malicious content and would require regular employee training on phishing, including simulations where appropriate.
Testing and Assessments: The existing regulations already require companies to conduct penetration tests and vulnerability assessments. The proposal would add that penetration tests must be conducted by a “qualified independent party.” The proposal would also change the requisite frequency for vulnerability assessments from bi-annually to “regularly.” For Class A companies, the proposal would require vulnerability assessments at least weekly.
Companies would also be required to update their risk assessments at least annually, as well as whenever a material change in the company’s business or technology occurs.
Expanded Requirements for Cybersecurity Programs: The proposal would require companies to explicitly address the following in their Cybersecurity Programs: remote access; vulnerability and patch management; and end-of-life management.
The proposal would also require cybersecurity programs to include an inventory of the company’s assets, including hardware, operating systems, applications, APIs, and cloud services. The inventory would need to include a sensitivity ranking for each asset and account for the date the manufacturer/developer will stop supporting the asset.
Governance and Oversight: The proposal would require the company’s board of directors to be more actively involved in cybersecurity. Specifically, the proposal would require board members to have “sufficient expertise and knowledge […] to exercise effective oversight of cyber risk,” either personally or through advisors. The proposal would require boards to designate a committee that is responsible for cybersecurity, and require the board to review and approve the company’s cybersecurity program at least annually.
At the management level, the proposal would require both the CISO and CEO to sign an annual certification of the company’s compliance with the cybersecurity regulations. The proposal would also require the CISO to have “adequate independence and authority to ensure cybersecurity risks are appropriately managed,” while also requiring the CISO to provide timely reports to the board regarding cyber incidents and updates to the company’s cybersecurity program.
New Notice Requirements: The existing regulations already require companies to provide notice of an incident to DFS within 72 hours. The proposal would clarify that this notice is required whenever ransomware is deployed and whenever an unauthorized actor obtains access to a privileged account.
In addition to the existing incident notification rules, the proposal would require companies to notify the DFS within 24 hours of paying an extortion payment to a threat actor (such as a ransomware payment), and the provide a report to DFS within 30 days explaining why the company chose to pay the threat actor, what alternatives it considered, and what measures it took to ensure compliance with OFAC rules.
Enforcement: The proposal would clarify that any non-compliance with any single provision of the regulations for a 24-hour period would constitute a violation of the regulations. In the event of a violation, the proposal lists a set of mitigating factors the New York DFS can consider, that will be applicable to all covered companies.
Implementation Timeline: If the proposal were adopted, companies would have six months to comply with most of the new requirements and a year to comply with some of the new technology requirements. However, the new notice requirements would take effect within 30 days.
What should New York financial services companies do next?
The commenting period is open until August 18th if you would like to provide feedback on the proposed changes and the agency contact can be located at the DFS website.
Our experienced team of attorneys has worked with numerous businesses on New York DFS inquiries and regulatory compliance efforts including policy development and training. The Octillo team can help you navigate through these changes and begin assessing how they may impact your business. Our team can help your company mitigate risks, while assessing the effectiveness of your cybersecurity program and creating a roadmap to tackle each new component, including planning for resource allocation in the form of time, money, technology, and personnel. Octillo will help you better understand the Regulation’s requirements and legal implications while also helping reduce risk and manage privacy matters.
*Attorney advertising: prior results do not guarantee future outcomes.