New York State Department of Financial Services Proposes Updates to Cybersecurity Regulation
On July 29, 2022, the New York Department of Financial Services (DFS) released Draft Amendments to its Part 500 Cybersecurity Rules. These changes are open for a preliminary public comment until August 18, and then an additional 60-day comment period will start when the proposed rule is published in the New York State Register.
Beginning in March 2017, DFS has established cybersecurity requirements for the financial services industry. Banks, insurance companies, and other financial services institutions licensed under New York’s financial services, banking, and insurance laws are subject to the Cybersecurity Rules, which require a risk assessment and formal cybersecurity program.
Key Changes to the Regulation
The draft amendments focus on cybersecurity governance and would add a set of additional technical and policy requirements seemingly intended to respond to evolving cybersecurity threats. The draft amendments would also create a class of large organizations subject to additional rules, add reporting obligations for a potentially much broader set of cybersecurity incidents than the existing regulation requires, and clarify enforcement priorities. A high-level summary of key proposed changes follows:
The draft amendments would create a new class of covered entity, “Class A,” defined as companies with more than 2,000 employees or over $1 billion in gross annual revenue. As detailed below, Class A covered entities would be subject to heightened requirements.
Similar to the proposed regulation put forth by the U.S. Securities and Exchange Commission (SEC) in March 2022, the draft amendments would require boards of directors to have or obtain expertise to enable effective oversight of cyber risks.
DFS seeks to increase the independence of cybersecurity activities and assessment within organizations. Specifically, the draft amendments would require the organization’s Chief Information Security Officer (CISO) or equivalent to “have adequate independence and authority to ensure cybersecurity risks are appropriately managed.” Class A companies would also be required to hold annual independent audits of their cybersecurity programs.
DFS proposes to add to its existing 72-hour reporting requirement for material cybersecurity incidents by mandating use of the DFS website electronic form and requiring new notifications to DFS for cybersecurity events in which an unauthorized user gains access to a privileged account, when a company is victimized by ransomware, and when a ransomware victim pays the extortion payment. A covered entity that makes a ransomware payment must report the payment to DFS within 24 hours, with a subsequent required explanation within 30 days.
Technical and Policy Requirements
The draft amendments would require several new policy and technical changes to mandatory cybersecurity policies and programs.
Covered entities would have to institute additional access control and user management practices designed to reduce vulnerabilities, such as limiting user access and privileged accounts. DFS proposes to require multi-factor authentication (MFA) for remote access to the network and enterprise and third-party applications from which nonpublic information is accessible, and notably, the proposed update removes text (SMS) messaging as a DFS-compliant “possession factor” method of MFA.
The proposed changes would require companies to disable or securely configure all protocols that permit remote control of devices (the terms “remote control” and “devices” are not defined), ensure strong and unique passwords, monitor and filter emails to block malicious content, and use “industry standard” encryption to protect nonpublic information (with an exception if certified by the CISO and reviewed regularly).
In addition to the above requirements, Class A companies must implement an endpoint detection and response solution, use a centralized logging and security event alerting service, and monitor privileged accounts. Class A companies would also have to adopt a “password vaulting solution for privileged accounts” and “an automated method of blocking commonly used passwords.”
The proposed regulation specifies elements of a business continuity and disaster recovery plan (including addressing ransomware scenarios) and would require organizations to communicate those plans within the organization and test them periodically. Covered entities would need to maintain backups that are isolated from network connections and test the capability to restore systems from backups. Covered entities would also be required to conduct phishing training and hold cybersecurity exercises and simulations when appropriate.
Definitional and Administrative Updates
The draft amendments propose several clarifying edits to the existing regulation, including expanding the purpose of a required cybersecurity program to protect “nonpublic information” stored on covered entities’ information systems. The proposed updates also confirm that companies regulated by other government agencies are subject to the DFS regulation if they are “required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the [New York State] Banking Law, the Insurance Law or the Financial Services Law.”
The proposed update also accounts for small and alternatively organized businesses by defining a “senior governing body” for organizations without a board of directors and expanding the class of businesses that qualify for limited exemptions based on the number of employees or revenue.
If adopted, covered entities would have 180 days to comply with the new rules once finalized, except that entities would only have 30 days to comply with the updated incident notification requirements and one year to comply with the updated password, MFA, and endpoint detection and logging requirements (if applicable).
The proposed amendments define a violation of the regulation as a failure to secure or prevent unauthorized access to an individual or entity’s nonpublic information or a 24-hour period of noncompliance with the requirements of the regulation. The draft regulation describes factors for DFS to consider in enforcement proceedings, including the cooperation and “good faith” of the organization, its past compliance history, harm to consumers caused by the violation, and timely, complete disclosures about an incident.
When adopted in 2017, New York DFS’ regulations represented a new phase in state cybersecurity regulation by requiring adoption of specific capabilities and technologies. Regulatory requirements of this nature had been limited to national security contractors or other high-risk critical infrastructure. The proposed amendments move further in the direction of prescriptive requirements for industry and demonstrate regulators paying attention to evolving threats such as ransomware and seeking to adopt rules based on perceived gaps.