Comment Period Comes to a Close for Significant Updates to NYDFS Cybersecurity Rules

The NYDFS will now review all received comments and either propose a revised version or adopt the final regulation.

Additional Obligations for the Largest Companies

Under the current Cybersecurity Rules, covered entities include any person operating under or required to operate under a license, registration, charter, certificate or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.¹ The Proposed Amendments create a new subcategory for larger covered entities called “Class A companies,” those covered entities with at least $20 million in gross annual revenue in each of the last two fiscal years from business operations of the covered entity and its affiliates in New York and (i) over 2,000 employees averaged over the last two fiscal years, including those of both the covered entity and all of its affiliates no matter where located or (ii) over $1 billion in gross annual revenue in each of the last two fiscal years from all business operations of the covered entity and all of its affiliates.² If the Proposed Amendments are implemented, these Class A companies will have the following obligations in addition to their obligations as covered entities:

• Conduct an independent cybersecurity program audit at least annually.
• Use external experts to conduct a risk assessment at least once every three years.
• Implement an endpoint detection and response solution to monitor anomalous activity, which must include lateral movement, and a solution that centralizes logging and security alerts.
• Implement a privileged access management solution,³ as well as an automated method of blocking commonly used passwords (to the extent feasible).⁴

“Privileged account” is a new term defined in the Proposed Amendments as those accounts that can be used to (i) perform security-relevant functions not available to ordinary users, including the ability to add or remove accounts or (ii) affect a material change to the technical or business operations of the covered entity.⁵

New Notification Requirements

Under current requirements of the Cybersecurity Regulations, covered entities must notify NYDFS within 72 hours of any cybersecurity event that (1) impacts the covered entity and notice is required to any government body, agency or other supervisory body or (2) has a reasonable likelihood of harming a material part of normal operations. The Proposed Amendments would change this second prong by changing “harming” to: “harming, disrupting or degrading any material part of the normal operation(s).”⁶ The Proposed Amendments would also expand this 72-hour notification requirement to include two additional scenarios:

• Cybersecurity events involving an unauthorized agent gaining access to a privileged account.
• Cybersecurity events that result in ransomware deployed within a material part of the covered entity’s information system.⁷

The Proposed Amendments have added a requirement that covered entities affected by a cybersecurity event at a third-party service provider must notify NYDFS within 72 hours from the time the covered entity becomes aware of the event. Covered entities would also have 90 days after notice of a cybersecurity event to respond to any requests from NYDFS on information regarding the investigation of an event.

The Proposed Amendments also establish a new 24-hour notification requirement in the event that a covered entity makes an extortion payment in connection with a cybersecurity event.⁸ Entities that make one of these extortion payments will have 30 days to report why the payment was necessary, including alternatives considered and sanctions diligence conducted.⁹

More Governance Provisions

Covered entities under the current Cybersecurity Regulations are required to implement certain cybersecurity governance practices for administering their policies. These practices include but are not limited to written cybersecurity policies approved by a Senior Officer, appointing a Chief Information Security Officer (CISO) or equivalent and regularly reporting on cybersecurity to the board. The Proposed Amendments add several new provisions to these minimum requirements:

• The CISO must have adequate authority to ensure cybersecurity risks are appropriately managed, including the ability to direct sufficient resources to implement and maintain a cybersecurity program.
• The CISO shall consider, in the annual written report currently required, the company’s plans for remediating material inadequacies.
• Covered entity boards (or equivalent) provide oversight and direction on cybersecurity risk management, and must have sufficient knowledge and expertise, or be advised by persons with sufficient knowledge and expertise, to effectively oversee cyber risk management.
• The CISO must timely report material cybersecurity issues to the senior governing body, such as updates to the covered entity’s risk assessment or major cyber events.¹⁰
• Covered entities’ cybersecurity programs must establish written plans for mitigating disruptive events and ensuring operational resilience, including incident response, business continuity, and disaster recovery.
• Covered entities must test periodically (but at a minimum annually): incident response plans with all critical staff, business continuity and disaster recovery (BCDR) plans with all critical staff, and backup restoration. (Backups adequately protected from unauthorized alterations or destruction must be maintained.)¹¹
• Covered entities must develop and implement written policies and procedures for vulnerability management that are designed to assess the effectiveness of their cybersecurity program.¹²
• Cybersecurity programs must include periodic, but at a minimum annual, awareness training for all personnel that includes social engineering exercises.¹³
• Covered entities must conduct automated vulnerability scans, and manual review of systems not covered by those scans. The frequency of those scans would be determined by the risk assessment. (Covered entities would have 18 months to implement this requirement.)¹⁴
• The annual certification of compliance currently required must be signed by both the highest ranking executive and the CISO, and may acknowledge lack of compliance so long as the covered entity identifies remedial efforts and a timeline for their implementation.¹⁵

Revised Risk Assessments

The Proposed Amendments redefine risk assessment to mean “the process of identifying cybersecurity risks to organizational operations (including mission, functions, image and reputation), organizational assets, individuals, customers, consumers, other organizations, and critical infrastructure resulting from the operation of an information system.”¹⁶ The Proposed Amendments also include several changes to how risk assessments are conducted, including:

• Conduct risk assessments that take into account the covered entity’s specific circumstances such as size, staffing, governance, products, operations, customers, counterparties, service providers and vendors, as well as the geographies and locations of its operations.
• Incorporate threat and vulnerability analyses, as well as mitigation in risk assessment.
• Review and update the risk assessment whenever a change in business or technology causes a material change to the covered entity’s cyber risk.
• Review and update risk assessment at least annually.
• Class A companies must use external experts to conduct a risk assessment at least once every three years.¹⁷

More Access Controls & Technical Controls

The current Cybersecurity Regulations mandate that covered entities establish policies and procedures for periodically disposing of nonpublic information, as well as limiting access privileges for users on information systems that provide access to nonpublic information. The Proposed Amendments set more controls for user access and retention, as well as technical requirements, including:

• Implementing written policies and procedures to create a complete asset inventory covering all information systems and components, that tracks key information for each asset including the owner, location, classification or sensitivity, support expiration date and recovery time requirements.
• Limiting user access privileges to nonpublic information only to that which is necessary for the user’s job.
• Limit the number of privileged accounts and limit their access functions to those necessary for the user’s job.
• Limit use of privileged accounts to only when performing functions requiring the use of such access.
• Periodically, but at least annually, review all user access privileges and remove or disable accounts and access that are no longer necessary, promptly terminating access following departures.
• Disable or securely configure all protocols that permit remote control of devices.
• Conduct penetration testing from both inside and outside the information systems’ boundaries by a qualified internal or external independent party at least annually.
• To the extent passwords are used, employ a password policy that meets industry standards.¹⁸

On the topic of multifactor authentication, the Proposed Amendments create an exception for cases where the CISO approves a reasonably equivalent or more secure control, otherwise requiring multifactor authentication for (i) remote access to the covered entity’s information systems, (ii) remote access to third-party applications from which nonpublic information is accessible and (iii) all privileged accounts.¹⁹

New Enforcement Details

The Proposed Amendments include more detail on what constitutes a violation of the Cybersecurity Regulation, namely:

• The commission of a single prohibited act, or the failure to act to satisfy an obligation constitutes a violation.
• The failure to comply for any 24-hour period with any section of subsection constitutes a violation of that subsection.
• The failure to secure or prevent unauthorized access to an individual’s or entity’s nonpublic information due to noncompliance with any section constitutes a violation.²⁰

The Proposed Amendments also explain the mitigating factors the NYDFS will consider when assessing penalties that include but are not limited to:

• The extent of the covered entity’s cooperation, good faith and history of violations.
• Whether the conduct was unintentional, reckless or intentional.
• Whether the violation resulted from failure to remedy previous examination matters.
• The extent of the harm as well as the number and gravity of the violations.²¹

Effective Dates

If adopted, most of the Proposed Amendment changes will take effect 180 days from the date of adoption. The new notification requirements and the changes to the annual notice of certification will take effect 30 days after adoption. The exemptions as well as the requirement to maintain backups will take effect one year after adoption, while many technical controls-related changes will take effect 18 months after, and the requirement to maintain an asset inventory will take effect two years after.²²

Takeaway

If adopted, the Proposed Amendment changes could mean a significant time and money investment for many companies currently operating under New York’s Cybersecurity Regulation. Regulated entities should evaluate their incident response procedures to ensure timely reporting of third-party and other incidents. These covered entities should move quickly to examine the extent to which these new changes will affect them, and what additional resources they may need to devote to their existing cybersecurity programs.

Please contact a member of Akin Gump’s cybersecurity, privacy and data protection team if you have any questions about these amendments or how they will affect your company.

¹ 23 NYCRR §500.1(c).

² Proposed Second Amendment to 23 NYCRR 500, New York State Department of Financial Services, hereinafter “Proposed Amendments,” available at https://www.dfs.ny.gov/system/files/documents/2022/07/pre_proposed_Proposed_23nycrr500_amd2.pdf.

³ A “password management solution” is a program for storing usernames and passwords for multiple applications in secure, encrypted formats.

⁴ Proposed Amendments, at 5-11. Alternatively, the covered entity’s CISO may instead approve in writing at least annually the infeasibility and the use of reasonably equivalent or more secure compensating controls.

⁵ Id. at 3.

⁶ Id. at 15.

⁷ Id.

⁸ Although the document does not define “extortion payment made in connection with a cybersecurity event,” it gives ransomware as an example of a cybersecurity event.

⁹ Id. at 17. Sanctions diligence includes compliance with Office of Foreign Assets Control (OFAC) rules.

¹⁰ The term “major cyber events” is not defined.

¹¹ Id. at 14-15.

¹² Id. at 7.

¹³ Id. at 12, “social engineering” refers to cyberattacks involving manipulation of trust, such as phishing.

¹⁴ Id. at 7, 19.

¹⁵ Id. at 16.

¹⁶ Id. at 3.

¹⁷ Id. at 3-9.

¹⁸ Id. at 9.

¹⁹ Id. at 11.

²⁰ Id. at 18.

²¹ Id. at 18-19.

²² Id. at 19-20.