New York Department of Financial Services Proposes Significant Changes to its Cybersecurity Regulation
On November 9, 2022, the New York Department of Financial Services (the NYDFS) released proposed amendments (the Proposed Amendments) to Cybersecurity Regulation, Part 500 of Title 23 of the New York Codes, Rules, and Regulations (Part 500). Part 500, often referred to as a “first-in-the-nation” cybersecurity regulation, requires financial institutions subject to NYDFS jurisdiction (covered entities1) to establish and maintain certain comprehensive and rigorous cybersecurity standards to protect nonpublic information (NPI) within their control. The Proposed Amendments would substantially expand the scope of Part 500 by, among other things, designating a class of entities subject to heightened cybersecurity requirements, mandating new reporting obligations—including an obligation to notify the NYDFS within 24 hours of a cyber ransom payment, expanding the requirements for what must be contained in a covered entity’s cybersecurity policies and procedures, and broadening senior management personnel’s governance and oversight responsibilities.
While the majority of the Proposed Amendments would take effect 180 days from the date of adoption, certain other provisions would take place at various points over the next two years, as detailed below. Comments on the Proposed Amendments are due on January 9, 2023.
Key New Obligations
Cybersecurity Incident Reporting
Covered entities are currently required to notify the NYDFS within 72 hours of any cybersecurity event that either (1) requires notice to a supervisory body or (2) has a reasonable likelihood of materially harming any material part of a company’s normal operations. The Proposed Amendments would additionally require:
- Notification to the NYDFS within 72 hours of any cybersecurity event that has a reasonable likelihood of disrupting or degrading any material part of a company’s normal operations;
- Notification to the NYDFS within 72 hours of any unauthorized access to a privileged account or deployment of ransomware within a material part of the company’s information systems;
- Notification to the NYDFS within 72 hours of any cybersecurity event at a third party service provider2 that affects a covered entity; and
- Notification to the NYDFS within 24 hours of an extortion payment made in connection with a cybersecurity event involving the covered entity.
Moreover, within 90 days of a cybersecurity event, covered entities would need to provide the NYDFS any information requested regarding the investigation of the cybersecurity event and would have a continuing obligation to update and supplement the information provided. Covered entities would also be required to provide to the NYDFS, within 30 days of any extortion payment made in connection with a cybersecurity event involving the covered entity:
- A written description of why that payment was necessary and any alternatives to payment that were considered; and
- A summary of diligence performed to find alternatives to payment and of diligence performed to ensure compliance with applicable rules and regulations including those of the Office of Foreign Assets Control.
Effectively, covered entities have an obligation to report some ransomware incidents when such incidents have a reasonable likelihood of “materially harming a material part of a company’s normal operations.” The Proposed Amendments, however, would make this duty explicit and broader by requiring covered entities to notify the NYDS whenever ransomware has been deployed within a material part of a company’s information system (thus harm is not a factor—scope of the ransomware deployment is). These expanded requirements would formalize some of the principles articulated in the NYDFS’ 2021 guidance on ransomware prevention, which urged covered entities to implement various cybersecurity safeguards, such as an incident response plan specifically addressing ransomware incidents.
Annual Certifications or Acknowledgments
Part 500 currently obligates each covered entity to submit an annual certification of compliance to its board of directors or equivalent governing body (or if none, a senior officer responsible for the covered entity’s cybersecurity program). Under the Proposed Amendments, the certification of compliance would have to be based on data and documentation sufficient to accurately determine full compliance, and be signed by the company’s highest-ranking executive and Chief Information Security Officer (CISO) (or absent a CISO, the highest-ranking executive and senior officer responsible for the cybersecurity program of the covered entity).
Covered entities would also have the option to issue a written acknowledgment in lieu of a certification; such acknowledgment would state that the covered entity did not fully comply with all requirements of Part 500. This acknowledgment would need to, among other things, provide remediation plans and a timeline for their implementation, and identify all sections of Part 500 with which the entity did not fully comply, along with the nature and extent of such noncompliance. The acknowledgement would need to be signed by the highest-ranking executive and CISO, or, if there is no CISO, the senior officer responsible for the cybersecurity program of the covered entity. Like the requirement for the annual certification, covered entities would be obligated to maintain all records and documentation relating to the acknowledgment of noncompliance, including all remedial efforts undertaken to address any areas, systems and processes that required material improvement, updating or redesign.
“Class A” companies
The Proposed Amendments would create a new category of “Class A” companies, the members of which would be covered entities that, together with their affiliates, have at least $20,000,000 in gross annual revenue in each of the last two fiscal years and (1) more than 2,000 employees averaged over the last two fiscal years or (2) averaged more than $1,000,000,000 in gross annual revenue in each of the last two fiscal years. Class A companies would be subject to certain heightened requirements, including the obligation to:
- At least annually, conduct an independent external audit of their cybersecurity programs;
- At least once every three years, use external experts to conduct a risk assessment;
- Monitor privileged access activity and implement:
- A privileged access management solution; and
- An automated method of blocking commonly used passwords for all accounts. To the extent a covered entity determines that blocking commonly used passwords is infeasible, the covered entity’s CISO may instead approve in writing at least annually the infeasibility and the use of reasonably equivalent or more secure compensating controls; and
- Subject to the CISO’s ability to approve in writing the use of reasonably equivalent or more secure controls and tools, as applicable, implement:
- An endpoint detection and response solution to monitor anomalous activity; and
- A solution that centralizes logging and security event alerting.
Governance and Oversight
Senior governing bodies (i.e., the covered entity’s board of directors (or an appropriate committee thereof) or equivalent governing body, or, if neither of those exist, the senior officer of the covered entity responsible for the covered entity’s cybersecurity program), the CISO, and highest-ranking executive would be vested with broad governance and oversight duties under the Proposed Amendments. For example, under the Proposed Amendments:
- The senior governing body must approve the covered entity’s written policies at least annually;
- If the covered entity has a board of directors or equivalent, the board or an appropriate committee thereof must exercise oversight of, and provide direction to management on, the covered entity’s cybersecurity risk management. That board or appropriate committee thereof must require the covered entity’s executive management or its delegates to develop, implement, and maintain the company’s cybersecurity program, and must have sufficient expertise and knowledge (or be advised by persons with sufficient expertise and knowledge) to exercise effective oversight of cybersecurity risk management;
- The CISO must include plans for remediating material inadequacies (in addition to several other items set forth in the current regulations) in its annual report to the senior governing body on the covered entity’s cybersecurity program;
- The CISO must timely report to the senior governing body regarding material cybersecurity issues, such as updates to the covered entity’s risk assessment or major cybersecurity events;
- The CISO must periodically, based on a frequency determined by the covered entity’s risk assessment but at a minimum annually, review any approvals with respect to compensating controls;
- The CISO must be given adequate authority to ensure cybersecurity risks are appropriately managed, including the ability to direct sufficient resources to implement and maintain a cybersecurity program; and
- The CISO must at least annually review the feasibility of encryption and the effectiveness of any compensating controls for unencrypted nonpublic information.
The Proposed Amendments also make clear that the CISO would need to include—instead of simply “consider” (as Part 500 currently provides)—certain items in the CISO’s annual report (to the extent applicable), such as the confidentiality of NPI and the integrity and security of the covered entity’s information systems. These increased oversight and governance obligations would, taken together, empower senior officials with more autonomy to continually shape a covered entity’s cybersecurity compliance program at all levels.
Cybersecurity Policies and Procedures
The Proposed Amendments would create new requirements with respect to written cybersecurity policies and procedures. In particular, a covered entity’s policies and procedures would need to:
- Cover new topics that must be approved at least annually by the covered entity’s governing body, including those applicable to the company’s operations, such as data retention, end-of-life management, remote access, security awareness, and training and vulnerability management.
- Require a complete, accurate and documented asset inventory.
- Require encryption that meets industry standards to protect NPI held or transmitted by the covered entity both in transit and at rest.
Incident Response and Business Continuity Management
The Proposed Amendments would supplement existing requirements for covered entities to implement incident response plans with obligations to have written plans for business continuity and disaster recovery (BCDR). These BCDR plans, at a minimum, would need to:
- Identify business components essential to continued operations such as documents, data, facilities, personnel and competencies, and supervisory personnel responsible for the implementation of the BCDR plans;
- Prepare communication plans to ensure continuity of communications with stakeholders such as leadership, employees, third parties, regulatory authorities, and others essential to continuity;
- Maintain procedures for the back-up of infrastructure and data; and
- Identify third parties necessary to continued operations.
Under the Proposed Amendments, a covered entity’s incident response plans would need to address different types of cybersecurity events, including disruptive events such as ransomware incidents. The incident response and BCDR plans would need to be periodically tested by all staff critical to the response, and revised accordingly based on such tests. Moreover, each covered entity would be required to ensure the current copies of the plans or relevant portions therein are distributed or otherwise accessible to all employees necessary to implement such plans. All personnel involved in the implementation of these plans would be required to receive appropriate training as well. Further, each covered entity would need to maintain backups that are adequately protected from unauthorized alterations or destruction.
These new requirements reflect the NYDFS’ focus on ensuring covered entities’ senior personnel are closely involved with incident response planning. This approach was reaffirmed in the NYDFS’ ransomware guidance discussed above, which provides that “decision makers such as the CEO should not be testing the incident response plan for the first time during a ransomware incident.” Like the enhanced requirements regarding policies and procedures, these additional prescriptive operational resilience obligations would encourage a more sophisticated and flexible approach to responding to cybersecurity incidents that takes into account the various ways in which cybersecurity systems can be compromised.
Risk, Impact and Vulnerability Assessments, and Penetration Testing
The Proposed Amendments would expand the definition of “risk assessment” to apply to the process of identifying cybersecurity risks to organizational operations, organizational assets, individuals, customers, consumers, other organizations, and critical infrastructure resulting from the operation of the information system. Under the Proposed Amendments, risk assessments would need to:
- Take into account a number of specific circumstances of the covered entity, including but not limited to its size, staffing, and governance;
- Incorporate threat and vulnerability analyses and consider mitigations provided by security controls planned or in place; and
- Be reviewed and updated at least annually and whenever a change in the business or technology causes a material change to the covered entity’s cyber risk.
Rather than obligate covered entities to implement a cybersecurity program that includes monitoring and testing developed in accordance with their risk assessment, the Proposed Amendments would broadly mandate that covered entities develop and implement written policies and procedures for vulnerability management that are designed to assess the effectiveness of its cybersecurity program. These policies and procedures would need to ensure that covered entities:
- Conduct, at a minimum:
- At least annually, penetration testing of their information systems from both inside and outside the information systems’ boundaries by a qualified internal or external independent party; and
- Automated scans of information systems, and a manual review of systems not covered by such scans, for the purpose of discovering, analyzing and reporting vulnerabilities at a frequency determined by the risk assessment, and promptly after any major system changes;
- Have a monitoring process in place to ensure they are promptly informed of the emergence of new security vulnerabilities;
- Timely remediate vulnerabilities, giving priority to vulnerabilities based on the risk they pose to the covered entity; and
- Document material issues found during testing and report them to the senior governing body and senior management.
These proposed requirements underscore the NYDFS’ objective of ensuring covered entities do not allow their risk and vulnerability assessments to become stale so that they are adequately prepared to address new and emerging cybersecurity threats. In this respect, these expanded requirements would be consistent with the expanded risk assessment requirements contained in the amendments3 issued this past fall by the FTC to the 2002 Gramm-Leach-Bliley Act (GLBA) Standards for Safeguarding Customer Information (known as the Safeguards Rule). The Safeguards Rule, as amended, obligates regulated financial institutions to perform additional risk assessments that reexamine the reasonably foreseeable internal and external risks to customer information that could result in the compromise of such information.
Other Cyber Controls
The Proposed Amendments would impose numerous new obligations with respect to other cybersecurity controls as well, namely that a company must, based on its risk assessment:
- Periodically, but at a minimum annually, review all user access privileges and remove or disable accounts and access that are no longer necessary;
- Limit the number of privileged accounts, as well as the access function of privileged accounts, to only those necessary to perform the user’s job;
- Disable or securely configure all protocols that permit remote control of devices; and
- Promptly terminate access following departures.
The Proposed Amendments would also obligate covered entities to implement a written password policy (to the extent passwords are employed as a method of authentication) that meets industry standards, and implement written policies and procedures designed to ensure a complete, accurate, and documented asset inventory, which would need to include, at a minimum, a method to track key information for each asset (e.g., owner, location, classification or sensitivity), and the frequency required to update and validate the covered entity’s asset inventory.
Except where reasonably equivalent or more secure compensating controls have been implemented and approved by the CISO in writing, multi-factor authentication would also need to be utilized for remote access to the covered entity’s information systems, remote access to third-party applications from which NPI is accessible, and all privileged accounts. Moreover, covered entities would need to implement controls that protect against malicious code, including those that monitor and filter web traffic and emails to block malicious content as well as provide periodic, but at a minimum annual, cybersecurity training programs that include social engineering exercises.
The Proposed Amendments would add specificity on what constitutes a Part 500 violation. In particular, a violation would be defined as committing a single act prohibited by Part 500 or the failure to act to satisfy an obligation. Acts or failures would include, but not be limited to:
- The failure to secure or prevent unauthorized access to an individual’s or an entity’s NPI due to noncompliance with any section of Part 500; or
- The failure to comply for any 24-hour period with any section or subsection of Part 500.
The Proposed Amendments also describe certain factors that would mitigate any potential penalty levied for a violation of Part 500, such as (1) the extent to which the covered entity has cooperated with the superintendent in the investigation of such acts, (2) the good faith of the entity, and (3) whether the violations resulted from conduct that was unintentional or inadvertent, reckless, or intentional and deliberate.
Expanded Exemptions and Effective Dates
The Proposed Amendments would broaden the small company exemption applicable to certain provisions of Part 500 to capture those covered entities that have (1) fewer than 20 (instead of 10) employees and independent contractors or (2) less than $15,000,000 (instead of $10,000,000) in year-end total assets. The Proposed Amendments would also exempt certain individual insurance brokers and agents.
The majority of the Proposed Amendments would take effect 180 days from the date of adoption. However, certain provisions would include different transitional periods:
- 30 days from adoption: new reporting obligations, including requirements on cybersecurity event notification and compliance certifications.
- 1 year from adoption: new obligation to maintain backups that are adequately protected from unauthorized alterations or destruction, as well as the limited exemption for smaller companies described above.
- 18 months from adoption: new obligations to:
- Address automated scans of information systems and a manual review of systems not covered by such scans in covered entities’ policies and procedures;
- Implement a written password policy (if applicable);
- Utilize multi-factor authentication for certain purposes, except where reasonably equivalent or more secure compensating controls have been implemented and approved by the CISO;
- Implement controls that protect against malicious code; and
- Implement certain endpoint detection solutions (for Class A companies only).
- 2 years from adoption: new obligation to implement written policies and procedures designed to ensure a complete, accurate, and documented asset inventory.
Several provisions would take effect immediately upon adoption as well, such as the insurance broker exemption, violation provisions, and exemption from electronic filing and submission requirements.
The Proposed Amendments reflect the NYDFS’ concerns about an increasingly volatile cyber threat landscape, one which poses unique threats to financial institutions. In proposing to significantly expand Part 500, the NYDFS has indicated it intends to continue being at the forefront of the development of cybersecurity regulation. Many covered entities may already be implementing certain of the data security measures mandated by the Proposed Amendments, but there may be ways in which the NYDFS could moderate the requirements to accommodate covered entities’ constraints. There is sufficient time to suggest changes to the Proposed Amendments through comments filed with the NYDFS. Arnold & Porter regularly assists clients with comments on proposed rules such as these, and we are available to consult about drafting comments that would be valuable contributions to the NYDFS in finalizing rules based on the Proposed Amendments.
© Arnold & Porter Kaye Scholer LLP 2022 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.
“Covered Entity” is defined in Part 500 as any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law. (NY Comp. Codes R. & Regs. Tit. 23 § 500.01(c))
You can read more about the amended Safeguards Rule in Arnold & Porter’s Advisory (Nov. 29, 2021).