On November 9, the New York State Department of Financial Services (“DFS”) formally proposed amendments (the “Proposed Amendments”) to the Part 500 Cybersecurity Regulations (the “Cybersecurity Regulations”). The Proposed Amendments, which if adopted would go into effect sometime in 2023, clarify existing requirements and provide more specificity to existing guidelines under the Cybersecurity Regulations.
For financial institutions regulated under the DFS Cybersecurity Regulations, the Proposed Amendments (if adopted) will require substantial updates to companies’ cybersecurity compliance programs, including in relation to corporate governance, notification and reporting requirements, and asset management and security. Perhaps most notably, the Proposed Amendments would require companies that make ransomware payments to notify DFS of such payments within 24 hours and to provide additional information regarding such payments within 30 days. DFS has also been relatively active in enforcing the Cybersecurity Regulations and has issued multiple multi-million dollar fines for violations, which raises the stakes for compliance.
In terms of next steps – the Proposed Amendments became open for comment on November 9, 2022, beginning the 60-day comment period. Accordingly, interested parties will be able to comment until 5 PM EST on Monday, January 9, 2023. Once the comment period has closed, DFS will conduct a comment analysis, and will either adjust the final regulations to reflect those comments or issue a modified proposal. If adopted, the Proposed Amendments would become effective 180 days after the date of adoption (though many of the technology-related requirements would not go into effect until one year after adoption).
In March 2017, DFS adopted comprehensive cybersecurity regulations for financial institutions that fall under its purview, the Cybersecurity Regulations, which served as a model for other cybersecurity regulatory bodies across the globe. Earlier this year, on July 29, DFS released a draft of proposed amendments (the “Pre-proposed Amendments”) to the Cybersecurity Regulations, indicating that it intended to modify and update the Cybersecurity Regulations to account for more recent threats.
On November 9, DFS released the “Proposed Amendments”. Like the Pre-proposed Amendments, the Proposed Amendments provide specificity to the various pieces of the existing regulation that are left open to interpretation by businesses’ senior governance. The changes reflect DFS’s goal to provide businesses with clear guidance to ensure successful compliance, especially in times of crises.
The Proposed Amendments continue to focus on various topics including senior governance’s responsibility to oversee cybersecurity, notification and reporting of incidents, risk assessment, asset management and security, and penalties for noncompliance. However, as the Pre-proposed Amendments indicated, the Proposed Amendments expand the requirements under each of these topics. For example, they expand the definition of a security event to include ransomware attacks and institute a 24-hour notification requirement in such an event. They also create a new class of covered businesses, “Class A” businesses. These are defined as companies that have over 2,000 employees (including affiliates) or over $1 billion revenue averaged over three fiscal years. Businesses that meet this definition should become familiar with the Proposed Amendments as they are subject to heightened compliance requirements. Further, although these changes build on the previous rules, the changes indicate that most businesses will need to actively reassess compliance obligations and budget for the necessary changes.
We have provided our key takeaways regarding the evolution of the Proposed Amendments below and are happy to answer any questions that you may have about the Cybersecurity Regulations.
- Senior Governance’ Responsibility. Under the Cybersecurity Regulations, businesses are required to assign a Chief Information Security Officer (“CISO”) which oversees, implements, and enforces cybersecurity policies. However, like under the Pre-proposed Amendments, under the Proposed Amendments board of directors are more responsible for governance of cybersecurity risk. For example, board members of covered businesses are required to have access to sufficient expertise to effectively oversee cyber risk personnel. A business’ CISO must report to senior governing bodies any material cybersecurity issues including updates to a business’ risk assessment or major cyber events. Further, board members are required to annually approve a business’ cybersecurity policy.
The Proposed Amendments also place an emphasis on the independence of the CISO, thereby strengthening the role of the CISO. However, unlike in the Pre-proposed Amendments, DFS does not go as far as to give the CISO the ability to direct sufficient resources to implement and maintain the cybersecurity program. Instead, DFS assigns that choice of budget allocation to business leadership.Notification and Reporting. Since breaches, specifically ransomware attacks, are of immense concern to DFS, the Proposed Amendments create heightened notification and reporting requirements for covered businesses. The Proposed Amendments expand the definition of a security event, that requires notification to DFS within 72-hours, to include incidents of unauthorized access to privileged accounts and ransomware attacks. For example, businesses affected by ransomware attacks which decide to make extortion payments must report those payments within 24 hours. A business’ report must include a written explanation of the reasons for payment, alternatives to payment, diligence performed to avoid payment, and diligence performed to comply with all applicable DFS regulations within 30 days of payment.
- Risk Assessment. Like under the Cybersecurity Regulation, the Proposed Amendments require businesses to conduct risk assessments and report findings to senior governance. However, the Proposed Amendments create more specific guidelines for compliance. For example, businesses must conduct annual audits on their risk assessments strategies and update their cybersecurity programs accordingly. Under the Proposed Amendments, in addition to annual risk assessments, businesses are required to conduct a risk assessment if there is any material change to a business’ cybersecurity risk.
The Proposed Amendments represent a stricter approach to risk assessment than the Pre-proposed Amendments foreshadowed. For example, unlike under the Pre-proposed Amendments, if material changes are made under the Proposed Amendments, businesses must conduct an impact assessment on the companies cyber risk. Further, the Pre-proposed Amendments gave businesses discretion to conduct penetration testing by a qualified internal or external party, while the Proposed Amendments are stricter and require that businesses hire a qualified independent party to annually conduct penetration testing of information systems.
Class A businesses are subject to even more stringent risk assessment requirements including required weekly vulnerability assessments consisting of systematic scans or reviews of information systems designed to identify cybersecurity vulnerabilities. In addition, Class A companies are required to hire external experts to conduct risk assessments every three years.
- Asset Management and Security: The Proposed Amendments focus heavily on asset management and security. Just as in the Pre-proposed Amendments, the Proposed Amendments would put in place specific requirements for asset management and security, as well as minimize the discretionary power of a CISO in making asset management and security decisions. Businesses will be expected to maintain an inventory of all hardware and software assets, including their location and accessibility. These changes also indicate that securing access to assets is a priority. For example, the Proposed Amendments require that all outstanding privileged accounts be subject to multifactor authentication (“MFA”). This is a departure from the Cybersecurity Regulations under which a business’ CISO has discretion to determine the need for MFA. If the Proposed Amendments are adopted, a CISO will need to explain the lack of MFA and present an equally secure alternative. In addition, under the Proposed Amendments, Class A companies have stricter password security requirements, for example, the requirement to provide password vaulting for privileged accounts.
- Penalties: The penalties laid out by the Proposed Amendments do not vary greatly from the Pre-proposed Amendments. A violation is defined broadly as any lack of compliance with the Cybersecurity Regulations. Further, every 24-hour period that a violation continues will constitute a separate violation. However, DFS will consider mitigating factors that led to noncompliance including good faith, investigation of noncompliance, gravity of the violation, whether the incident was an isolated event, accurate and timely disclosure to those affected, etc. Affected businesses should emphasize these mitigating factors when filing their incident report with DFS.