On November 9, 2022, the New York Department of Financial Services (“NYDFS”) issued a proposed amendment to the Part 500 Cybersecurity Regulations (the “Proposed Amendment”), revising the first set of proposed amendments released in July 2022. announced. Its relatively limited jurisdiction, prompt breach reporting and focus on data governance have had considerable impact on other US financial services regulators. Current cybersecurity regulations impose a 72-hour reporting requirement for cybersecurity events, and proposed amendments go even further, creating an additional 24-hour notification obligation if ransomware payments are made doing. Additionally, the proposed amendments create new requirements for large “Class A” companies, including his triennial risk assessment by an outside expert and an annual independent audit of his cybersecurity program.
Overview of Cybersecurity Regulations
NYDFS regulates certain financial institutions operating in New York pursuant to licenses or similar authorizations under the state banking, insurance, or financial services laws. While the actual impact of NYDFS regulation on brokers, dealers, and investment advisors may appear indirect (such firms register with the Securities Division of the New York Attorney General’s Office, not with NYDFS), pensions or Entities that sell other insurance products may have insurance licenses. Issued directly by the department. The Cybersecurity Regulation, designed to protect financial institutions’ information systems and customer data, went into effect in March 2017, requiring covered entities to assess their specific risk profile and address such risks. It requires designing a comprehensive cybersecurity program. NYDFS essentially calls for what is basic cybersecurity governance and holds the agency’s senior management accountable by requiring an annual certification that confirms compliance.
As previously mentioned, in July 2022, NYDFS released a proposed amendment to its cybersecurity rules. This was followed by a pre-proposal comment period during which industry stakeholders shared their comments on the changes under consideration. Below are highlights of the proposed amendments that reflect significant changes from existing cybersecurity rules.
Main Points of the Proposed Amendment
Enhanced Cyber Event Notification Obligations. The proposed amendment would require NYDFS to be notified 72 hours in advance of unauthorized access to privileged accounts or deployment of ransomware to critical portions of the covered entity’s information systems. They are also obliged to notify us within 24 hours if a ransom payment is made and to provide a written explanation for 30 days of why the payment was required, alternatives considered and sanctions taken. there is. Further, a Covered Entity affected by a cybersecurity event at a Third Party Service Provider must notify NYDFS within 72 hours of the Covered Entity becoming aware of the event.
New requirements for large enterprises. The proposed amendments create additional requirements for “Class A” companies. This includes: (1) companies with gross annual revenues of at least $20 million in their respective state (New York) for the last two fiscal years and employees exceeding his 2,000; (including affiliate employees), or (2) total revenue from all businesses exceeding $1 billion in each of the last two fiscal years (including affiliate revenue). New obligations for “Class A” companies include:
- Weekly systematic scans or reviews reasonably designed to identify publicly known cybersecurity vulnerabilities and report significant gaps to the Board and senior management.
- An endpoint detection and response solution for monitoring anomalous activity.
- A SIEM or other solution that centralizes logging and security event alerting.
- Monitor privileged access activity.
- Password storage solution for privileged accounts.
- An automated method of blocking commonly used passwords.
- Annual independent audit of the cybersecurity program.When
- Risk assessment by an external expert at least once every three years.
Expanded governance obligations. NYDFS requires the Chief Information Security Officer (“CISO”) to have “appropriate authority to adequately manage cybersecurity risks, including the ability to direct adequate resources to implement and maintain cybersecurity” By doing so, we continue to focus on board and senior management accountability. program. ” Additional governance requirements are:
- Annual CISO report to the board of directors.
- Certificate of Compliance signed by “Highest Executive” and CISO.When
- A board (or equivalent committee or appropriate committee) to provide oversight and direction to management regarding cybersecurity risk management;
Asset management and security requirements. Under the proposed amendments, covered entities would be subject to (1) ownership, (2) location, (3) classification or confidentiality, (4) support expiration date, and (5) recovery. time requirements. Naturally, protecting assets and information is an ongoing priority for NYDFS. For example, the proposed amendments require multi-factor authentication ( “MFA”) is required. ) all privileged accounts—unless reasonably equivalent or more secure alternative controls have been implemented and approved in writing by his CISO of the company.
Execution. Failure to comply with any part of the Cybersecurity Regulations would be a rule violation under the proposed amendments. Specifically, such conduct or failure includes (1) failure to protect or prevent unauthorized access to non-public information of a person or entity due to non-compliance, or (2) failure within 24 hours. but not limited to: However, NYDFS, among other things, is committed to the integrity, history of previous violations, extent of damage to consumers, severity of violations, whether the incident was an isolated event, and accurate and timely notification to those affected. Consider various mitigating factors that contributed to the violation, such as disclosure. consumer.
from now on
The 60-day comment period for the proposed amendments ends January 8, 2023. If the amendment is adopted, the amendment will become effective 180 days from the date of adoption. As the cybersecurity landscape continues to evolve, financial institutions should review their cyber programs and incident response protocols and develop plans to address updated cybersecurity rules, if applicable. Ropes & Gray will continue to monitor his NYDFS developments.