New York State Department of Financial Services Publishes Updated Version of Proposed Amendments to Cybersecurity Regulation
The New York State Department of Financial Services (NYDFS) recently published revised proposed amendments (the Revised Proposed Amendments) to the state’s cybersecurity regulation for the financial services industry (23 NYCRR Part 500). The Revised Proposed Amendments would significantly clarify and expand the compliance obligations of NYDFS-regulated financial institutions (covered entities1), reflecting comments received on the prior version we discussed in an earlier advisory. The Revised Proposed Amendments would impose greater cybersecurity requirements on larger, Class A entities, expand covered entities’ obligations to report cybersecurity events and safeguard consumer data, and mandate increased governance and oversight responsibilities for senior management.
If codified, the Revised Proposed Amendments will take effect 180 days from the date of adoption or later, except for the new certification and event notification requirements, responsibilities for Chief Information Security Officers (CISOs), vulnerability management policy requirements, and requirements for backups, which will take effect earlier.
Comments on the Revised Proposed Amendments are due on Aug. 14.2 The NYDFS has encouraged companies interested in submitting comments to review the Assessment of Public Comments to see which comments the department has already considered.
The final version will be coming soon. And as the NYDFS moves closer to implementing the substantial regulatory changes we discuss, NYDFS-regulated financial institutions should note the following to help ensure their cybersecurity compliance programs keep up:
- Be prepared to address new reporting obligations. Some of these new reporting requirements, including cybersecurity event notification and compliance certifications, will become effective just 30 days after the amendments are finalized. It would therefore be prudent for regulated financial institutions to begin preparing now to certify for material compliance with the new requirements in Part 500. Certification would be due on April 15, 2024, if the amendments come into effect by the end of the year.
- Be ready for new oversight and governance requirements. Managers and directors of financial institutions should actively prepare to execute various new complex and ongoing oversight obligations. Directors should take steps to begin identifying any needed expert advisers who will help them to exercise effective oversight over a cybersecurity program.
- Assess the details of your own cybersecurity program. Preparing for compliance with the new Part 500 obligations will require a deep understanding of your cybersecurity program, including any areas that may need improvement. Certain requirements, such as completing a full asset inventory, may require an extensive investigation. For many institutions, this will take significant time and effort. Prepare for the approaching deadlines by getting to know your system now.
- Put your team together. Having qualified and capable cybersecurity talent will be essential in guaranteeing material and timely compliance with these new requirements. In particular, covered entities should make sure that they have a designated CISO who is responsible for cybersecurity and sufficiently capable and empowered to develop and implement cybersecurity plans and controls that comply with the proposed changes to Part 500.
- Communicate any comments on the Revised Proposed Amendments to the NYDFS — and do it soon. The Revised Proposed Amendments are subject to only a 45-day comment period. However, there is still time to suggest other changes by filing comments with the NYDFS. We regularly assists clients with comments on proposed rules such as these and are available to consult on drafting comments that would be valuable contributions to the NYDFS in finalizing rules based on the Revised Proposed Amendments.
Key Requirements of the Revised Proposed Amendments
Cybersecurity Incident Reporting
Part 500 requires covered entities to notify the NYDFS within 72 hours of any cybersecurity event that requires notice to a supervisory body or has a reasonable likelihood of materially harming any material part of a company’s normal operations.3 The Revised Proposed Amendments would expand these requirements by obligating a covered entity to provide notification of any cybersecurity event, whether experienced by the covered entity, its affiliates, or a third-party service provider,4 that:
- Must be communicated to any other government body, self-regulatory agency, or any other supervisory body
- Has a reasonable likelihood of materially harming any material part of a covered entity’s normal operations or
- Involves unauthorized access to a privileged account or deployment of ransomware within a material part of the company’s information systems
The Revised Proposed Amendments would mandate that covered entities promptly provide any information requested regarding such a cybersecurity event and would impose on covered entities an ongoing obligation to update and supplement the information provided.
Covered entities would also be required to notify the NYDFS within 24 hours of an extortion payment made in connection with a cybersecurity event involving the covered entity. Further, within 30 days of the extortion payment made in response to a cybersecurity event, covered entities would need to provide:
- A written description of why that payment was necessary and any alternatives to payment that were considered; and
- A summary of diligence performed to find alternatives to payment and of diligence performed to ensure compliance with applicable rules and regulations, including those of the Office of Foreign Assets Control
Under Part 500, covered entities are required to submit to their board of directors or an equivalent governing body (or, if none, a senior officer responsible for the covered entity’s cybersecurity program) an annual certification of compliance with the Part 500 requirements.5 The Revised Proposed Amendments would mandate that these certifications be supported by data and documentation sufficient to accurately determine compliance and be signed by the company’s highest-ranking executive and CISO (or, absent a CISO, the highest-ranking executive and senior officer responsible for the cybersecurity program of the covered entity).
Alternatively, covered entities would be permitted to issue a written acknowledgment in lieu of a certification. Such an acknowledgment would need to state that the covered entity did not fully comply with all requirements of Part 500, identify all sections of Part 500 with which the entity did not materially comply (along with the nature and extent of the noncompliance), and provide a remediation timeline or confirmation that remediation had been completed.
Covered entities would also be obligated to maintain for examination and inspection by the NYDFS upon request all records, schedules, and other documentation and data supporting the certification or acknowledgment for a period of five years. That documentation and data would need to include, among other things, the identification of all areas, systems, and processes that require or required material improvement or redesign.
Class A Companies
The Revised Proposed Amendments would establish a new category of Class A companies subject to heightened security requirements. As proposed, Class A companies would be covered entities that, together with their affiliates that share information systems, cybersecurity resources or all or any part of a cybersecurity program with the covered entity, have at least $20 million in gross annual revenue in each of the last two fiscal years and (1) more than 2,000 employees averaged over the last two fiscal years or (2) averaged more than $1 billion in gross annual revenue in each of the last two fiscal years. Class A companies would be required to:
- Conduct at least annually an independent audit of their cybersecurity programs, using either internal or external auditors
- Monitor privileged access activity and implement:
- A privileged access management solution; and
- An automated method of blocking commonly used passwords for all accounts on information systems owned or controlled by a Class A company and when feasible for all other accounts. To the extent a covered entity determines that blocking commonly used passwords is infeasible, the covered entity’s CISO may instead approve in writing at least annually the infeasibility and the use of reasonably equivalent or more secure compensating controls; and
- Implement, subject to the CISO’s ability to approve in writing the use of reasonably equivalent or more secure compensating controls, as applicable:
- An endpoint detection and response solution to monitor anomalous activity; and
- A solution that centralizes logging and security event alerting
Governance and Oversight
The Revised Proposed Amendments impose significant governance and oversight responsibilities on the highest-ranking executive, the CISO, and the senior governing body of a covered entity. The roles of the CISO and the senior governing body of a covered entity are both specified in the Revised Proposed Amendments.
The CISO would be a qualified individual responsible for overseeing and implementing the covered entity’s cybersecurity program and enforcing its cybersecurity policy and who has adequate authority to ensure cybersecurity risks are appropriately managed, including the ability to direct sufficient resources to implement and maintain an effective cybersecurity program.
The senior governing body would be the covered entity’s board of directors (or an appropriate committee thereof) or equivalent governing body, or, if neither of those exists, the senior officer(s) of the covered entity responsible for its cybersecurity program. When a cybersecurity program has been adopted from an affiliate, the relevant senior governing body may be that of the affiliate as well.
The expanded responsibilities of the senior governing body would include:
- Approving the covered entity’s written policies at least annually
- Exercising effective oversight of the entity’s cybersecurity risk management; and
- Ensuring that the covered entity’s executive management or its designees develop, implement, and maintain the company’s cybersecurity program
- The CISO’s responsibilities would include:
- Planning for remediating material inadequacies (in addition to several other items set forth in the current regulations) in the CISO’s annual report to the senior governing body on the covered entity’s cybersecurity program
- Timely reporting to the senior governing body any material cybersecurity issues, such as significant updates to the covered entity’s risk assessment or significant cybersecurity events
- Periodically, but at a minimum annually, reviewing any compensating controls that the CISO previously approved in writing as reasonably equivalent to or more secure than multifactor authentication; and
- At least annually, reviewing the feasibility of encryption and the effectiveness of any compensating controls for unencrypted nonpublic information (NPI)
Additionally, the CISO would need to include in the CISO’s annual report, rather than merely “consider” (as Part 500 currently provides), particular items such as the confidentiality of NPI and the overall effectiveness of the covered entity’s cybersecurity program.
Cybersecurity Policies and Procedures
The Revised Proposed Amendments would also establish new requirements for written cybersecurity policies and procedures. Specifically, a covered entity’s policies and procedures would need to:
- Cover new topics that must be approved at least annually by the covered entity’s senior governing body, including those applicable to the company’s operations, such as data retention, end-of-life management, network security monitoring, security awareness and training, and vulnerability management
- Require a complete, accurate, and documented asset inventory of the covered entity’s information systems; and
- Require encryption that meets industry standards to protect NPI held or transmitted by the covered entity both in transit and at rest
Incident Response and Business Continuity Management
To expand the existing Part 500 requirement that covered entities implement security incident response plans, 6 the Revised Proposed Amendments would require the implementation of written business continuity and disaster recovery (BCDR) plans. Thes BCDR plans, at a minimum, would have to:
- Identify business components essential to continued operations, such as documents, data, facilities, services, personnel, and competencies, and supervisory personnel responsible for the implementation of the BCDR plans
- Prescribe communication plans to ensure the continuity of communications with stakeholders, such as leadership, employees, third parties, regulatory authorities, and others essential to continuity
- Establish procedures for the backup of infrastructure and critical data; and
- Identify third parties necessary to continued operations
The Revised Proposed Amendments also would require that covered entities’ incident response plans include a root cause analysis describing how and why a cybersecurity event occurred, what business impact it had, and what will be done to prevent a reoccurrence. Further, covered entities would need to take steps to ensure that:
- Incident response and BCDR plans are periodically tested with critical staff and revised as needed.
- Current copies of plans or relevant portions of the plans are distributed or accessible to all relevant employees.
- All personnel involved in the implementation of these plans are properly trained.
- Backups necessary for restoring material operations are maintained and adequately protected from unauthorized alteration or destruction.
Risk Assessments, Impact and Vulnerability Assessments, and Penetration Testing
The Revised Proposed Amendments would also broaden the definition of “risk assessments” to include identifying cybersecurity risks to organizational operations, organizational assets, individuals, customers, consumers, other organizations, and critical infrastructure resulting from the operation of the information system. Under the Revised Proposed Amendments, covered entities would need to ensure risk assessments:
- Incorporate threat and vulnerability analyses and consider mitigations provided by security controls planned or in place; and
- Are reviewed and updated at least annually and whenever a change in the business or technology causes a material change to the covered entity’s cyber risk
Covered entities also would be required to develop and implement written policies and procedures addressing vulnerability management. These policies and procedures would need to require the covered entity to:
- Conduct, at a minimum:
- Penetration testing at least annually of their information systems from both inside and outside the information systems’ boundaries by a qualified internal or external party; and
- Automated scans of information systems and a manual review of systems not covered by such scans for discovering, analyzing, and reporting vulnerabilities at a frequency determined by the risk assessment and promptly after any material system changes
- Have a monitoring process in place to ensure that covered entities are promptly informed of new security vulnerabilities; and
- Timely remediate vulnerabilities, giving priority to vulnerabilities based on the risk they pose to the covered entity
Under the Revised Proposed Amendments, multifactor authentication would be required for access to the covered entity’s information systems unless reasonably equivalent or more secure compensating controls have been implemented and approved by the CISO in writing. The Revised Proposed Amendments would require that covered entities implement multifactor authentication for any access to the covered entity’s information systems unless covered by a limited exemption for smaller companies.
Additional Cybersecurity Requirements
The Revised Proposed Amendments would impose several additional cybersecurity mandates on covered entities based on the results of their risk assessment as well, including to:
- Periodically, but at a minimum annually, review all user access privileges and remove or disable accounts and access that are no longer necessary
- Limit the number of privileged accounts, as well as the access function of privileged accounts, to only those necessary to perform the user’s job
- Disable or securely configure all protocols that permit remote control of devices; and
- Promptly terminate access following employee departures
In addition, the Revised Proposed Amendments would require that covered entities implement a written password policy (to the extent passwords are employed as a method of authentication) that complies with industry standards, controls that protect against malicious code, including those that monitor and filter web traffic and emails to block malicious content, as well as provide periodic, but at a minimum annual, cybersecurity training programs that include social engineering exercises.
The Revised Proposed Amendments would clarify what acts constitute a Part 500 violation. Under the Revised Proposed Amendments, a violation would be defined as committing a single act prohibited by Part 500 or the failure to act to satisfy an obligation. Acts or failures would include:
- The failure to secure or prevent unauthorized access to an individual’s or an entity’s NPI due to noncompliance with any section of Part 500; or
- The material failure to comply for any 24-hour period with any section or subsection of Part 500
Notably, the Revised Proposed Amendments clarify that only a material failure to comply for a 24-hour period with a section or subsection of Part 500 would constitute a violation. Additionally, the Revised Proposed Amendments identify several mitigating factors that could limit a potential penalty levied for a violation of Part 500, such as (1) the extent to which the covered entity has cooperated with the superintendent in the investigation of such acts; (2) the good faith of the entity; (3) whether the violations resulted from conduct that was unintentional or inadvertent, reckless, or intentional and deliberate; and (4) the extent to which the relevant policies and procedures of the company are consistent with nationally recognized cybersecurity frameworks, such as the National Institute of Standards and Technology.
Most of the provisions of the Revised Proposed Amendments take effect 180 days after the amendments are adopted. Some of the provisions, however, take effect at different times:
- 30 days from adoption, new reporting obligations, including requirements on cybersecurity event notification and compliance certifications
- 1 year from adoption, new obligations to:
- Designate a CISO who complies with relevant reporting and oversight requirements
- Establish a written policy requiring encryption or approved alternative compensating controls
- Implement incident response plans, BCDRs, and disaster recovery plans; and
- Maintain backups that are adequately protected from unauthorized alterations or destruction
- 18 months from adoption, new obligations to:
- Address automated scans of information systems and a manual review of systems not covered by such scans in covered entities’ policies and procedures
- Implement certain access controls and, if applicable, a written password policy
- Implement risk-based controls designed to protect against malicious code; and
- Implement certain endpoint detection solutions (for Class A companies only)
- 2 years from adoption, new obligations to:
- Implement written policies and procedures designed to ensure a complete, accurate, and documented asset inventory of the covered entity’s information systems
- Employ multifactor authentication for any access to the covered entity’s systems, except when reasonably equivalent or more secure compensating controls have been implemented and approved by the CISO
Several provisions would take effect immediately upon adoption as well, such as the insurance broker exemption, violation provisions, and exemption from electronic filing and submission requirements.
As the NYDFS continues to move closer to implementing these substantial regulatory changes, NYDFS-regulated financial institutions should be taking their owns steps to guarantee their cybersecurity compliance programs keep apace. Financial institutions with questions about the Revised Proposed Amendments or wishing to submit comments to the NYDFS may contact any of the authors of this advisory or their usual Arnold & Porter contacts. The firm's Financial Services and Privacy, Cybersecurity & Data Strategy teams would be pleased to assist with any questions about submitting a comment to the NYDFS or about Part 500 in general.
© Arnold & Porter Kaye Scholer LLP 2023 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.
“Covered entity” is defined in Part 500 as “any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.” (NY Comp. Codes R. & Regs. Tit. 23 § 500.01(c))
Comments on the updated proposed Second Amendment must be submitted in writing to the NYDFS by 5 p.m. EDT on Monday, Aug. 14. Submissions should be sent by email to email@example.com or by mail to the New York State Department of Financial Services c/o Cybersecurity Division, Attn: Joanne Berman, 1 State Street Plaza, Floor 19, New York, NY, 10004.