On November 9, 2022, the New York Department of Financial Services (“NYDFS”) announced proposed amendments to its Part 500 Cybersecurity Rules (“Proposed Amendments”), revising an initial set of draft amendments released in July 2022. While NYDFS may have relatively limited jurisdiction, its emphasis on rapid breach reporting and data governance have had considerable influence on other U.S. financial services regulators. The current Cybersecurity Rules impose a 72-hour reporting requirement for cybersecurity events, and the Proposed Amendments go farther, creating an additional 24-hour notification obligation in the event a ransomware payment is made. Additionally, the Proposed Amendments create new requirements for larger “Class A” companies, including a risk assessment by an external expert every three years and an independent audit of cybersecurity programs annually.
Overview of Cybersecurity Rules
NYDFS regulates certain financial institutions operating in New York pursuant to a license or similar authorization under the state’s banking, insurance, or financial services law. While the practical effect of NYDFS regulations on brokers, dealers, and investment advisers may seem indirect—such companies register with the Securities Division of the New York Attorney General’s office and not NYDFS—entities that sell annuities or other insurance products likely have an insurance license issued directly from the department. Designed to protect financial institutions’ information systems and customer data, the Cybersecurity Rules, which became effective in March 2017, require covered entities to assess their specific risk profile and design comprehensive cybersecurity programs that address such risks. NYDFS necessitates what, in essence, is basic cybersecurity governance and holds an institution’s senior leadership accountable by requiring annual certifications confirming compliance.
As noted above, in July 2022, NYDFS released draft amendments to its Cybersecurity Rules, which was followed by a pre-proposal comment period during which industry stakeholders shared comments regarding the changes under consideration. Below are takeaways from the revised Proposed Amendments that reflect material changes from the existing Cybersecurity Rules.
Key Takeaways from Proposed Amendments
Enhanced Cyber Event Notification Obligations. The Proposed Amendments require 72-hour notice to NYDFS of unauthorized access to privileged accounts or the deployment of ransomware within a material part of a covered entity’s information system. They also impose a 24-hour notification obligation in the event a ransom payment is made and a 30-day requirement to provide a written description of why payment was necessary, the alternatives considered, and the sanctions diligence conducted. Additionally, covered entities affected by a cybersecurity event at a third-party service provider must notify NYDFS within 72 hours from the time the covered entity becomes aware of the event.
New Requirements for Larger Companies. The Proposed Amendments create additional requirements for “Class A” companies, which include entities with (1) an in-state (New York) gross annual revenue of at least $20 million in each of the last two fiscal years and over 2,0000 employees (including employees working at an affiliate), or (2) more than $1 billion in gross revenue in each of the last two fiscal years from all operations (including affiliate revenue). New obligations for “Class A” companies include:
- Weekly systematic scans or reviews reasonably designed to identify publicly known cybersecurity vulnerabilities and report any material gaps to the board and senior management;
- Endpoint detection and response solution to monitor anomalous activity;
- An SIEM or other solution that centralizes logging and security event alerting;
- Privileged access activity monitoring;
- A password vaulting solution for privileged accounts;
- An automated method of blocking commonly used passwords;
- An annual, independent audit of their cybersecurity programs; and
- A risk assessment by external experts at least once every three years.
Expanded Governance Obligations. NYDFS continues its focus on the accountability of boards and senior management by requiring the Chief Information Security Officer (“CISO”) to have “adequate authority to ensure cybersecurity risks are appropriately managed, including the ability to direct sufficient resources to implement and maintain a cybersecurity program.” Additional governance requirements include:
- Annual CISO reports to the board;
- Compliance certifications signed by the “highest-ranking executive” and the CISO; and
- That the board (or its equivalent or the appropriate committee) exercises oversight of and provides direction to management on cybersecurity risk management.
Asset Management and Security Requirements. Under the Proposed Amendments, covered entities must maintain written policies and procedures “designed to ensure a complete, accurate and documented asset inventory,” which includes a method to track key information for each asset, including the (1) owner, (2), location, (3) classification or sensitivity, (4) support expiration date, and (5) recovery time requirements. Protecting assets and information is, not surprisingly, a continued priority for NYDFS. For example, the Proposed Amendments require multi-factor authentication (“MFA”) for (1) remote access to a covered entity’s information systems, (2) remote access to third-party applications (including cloud-based applications), and (3) all privileged accounts—except, in all instances, where reasonably equivalent or more secure compensating controls have been implemented and approved in writing by the company’s CISO.
Enforcement. Any failure to comply with any portion of the Cybersecurity Rules is, under the Proposed Amendments, a violation of the regulations. Specifically, such acts or failures include, without limitation: (1) the failure to secure or prevent unauthorized access to an individual’s or an entity’s nonpublic information due to noncompliance, or (2) the failure to comply for any 24-hour period. Notably, however, NYDFS will consider various mitigating factors that contributed to noncompliance including good faith, any history of prior violations, extent of harm to consumers, gravity of the violation, whether the incident was an isolated event, and accurate and timely disclosure to affected consumers.
The 60-day comment period for the Proposed Amendments continues until January 8, 2023. If adopted, the Proposed Amendments will take effect 180 days from the date of adoption. As the cybersecurity landscape continues to change, financial institutions should review their cyber programs and incident response protocols and develop a plan to address the updated Cybersecurity Rules, if applicable. Ropes & Gray will continue to monitor NYDFS developments. Subscribe to RopesDataPhiles for updates.