On July 29, 2022, the New York Department of Financial Services (“NYDFS”) posted proposed amendments (“Proposed Amendments”) to its Cybersecurity Requirements for Financial Services Companies (“Cybersecurity Regulations”). The Proposed Amendments would expand upon the set of prescriptive cybersecurity requirements applicable to all covered financial institutions, as well as impose more stringent requirements for “Class A Companies” (as defined below). There will be a brief pre-proposal comment period, followed by the official publication of the Proposed Amendments, which will trigger a new 60-day comment period. Below are the key changes introduced by the Proposed Amendments.
Class A Companies
The Proposed Amendments introduce a new category of “Class A Companies,” which consists of large financial institutions that would be subject to heightened requirements. Specifically, Class A Companies are covered financial institutions with over (1) 2,000 employees (including those of both the covered institution and its global affiliates), or (2) $1 billion in gross annual revenue averaged over the last three fiscal years from all business operations of the entity and its affiliates. Under the Proposed Amendments, Class A Companies would be subject to the following new requirements (in addition to the new requirements that would be imposed on all covered financial institutions, as described further below):
- As part of the “cybersecurity program” requirements under Section 500.2 of the Proposed Amendments, Class A Companies must undergo an independent audit of their cybersecurity program on at least an annual basis.
- As part of the “penetration testing and vulnerability assessments” requirements under Section 500.5 of the Proposed Amendments, Class A Companies must conduct systematic vulnerability scans or reviews of information systems at least weekly.
- As part of the “access privileges” requirements under Section 500.7 of the Proposed Amendments, Class A Companies must (1) ensure use of strong, unique passwords; (2) monitor privileged access activity; and (3) unless, a reasonable equivalent is approved in writing by the company’s CISO, implement both a password vaulting solution for privileged accounts and an automated method for blocking commonly used passwords.
- As part of the “risk assessment” requirements under Section 500.9 of the Proposed Amendments, Class A Companies must use external experts to conduct a risk assessment at least once every three years.
- As part of the “training and monitoring” requirements under Section 500.14 of the Proposed Amendments, unless a reasonable equivalent is approved by the CISO, Class A Companies must implement (1) an endpoint detection and response solution to monitor anomalous activity, including lateral movement; and (2) a centralized solution for logging and security event alerting.
In addition to the new heightened requirements for Class A Companies, the Proposed Amendments would impose new requirements for all covered financial institutions, including the following:
- A covered entity’s cybersecurity policies must (1) be approved at least annually by a “senior governing body” (i.e., the board of directors or equivalent governing body, or if no such body exists, a responsible senior office), rather than solely a senior office; and (2) address certain additional subjects that are not currently required by the Cybersecurity Regulations, including end-of-life management and vulnerability and patch management.
- A covered entity’s CISO must have adequate independence and authority to ensure cyber risks are appropriately managed.
- The CISO’s obligation to report to the senior governing body (e.g., board of directors) has been expanded to include plans for remediating inadequacies and timely reporting on material cybersecurity issues or major cybersecurity events.
- If a covered entity has a board of directors, the board must (1) require the covered entity’s executive management or its delegates to implement and maintain the covered entity’s cyber program; and (2) possess sufficient expertise and knowledge (or be advised by persons with such expertise or knowledge) to exercise effective oversight of cyber risk and a committee or subcommittee assigned responsibility for cybersecurity.
- Covered entities must undergo annual penetration testing by a qualified independent party, as well as regular vulnerability assessments, and material gaps found during testing must be documented and reporting to the senior governing body.
- With respect to access controls, covered entities must (1) limit the use of privileged accounts to only when performing functions requiring the use of such access; (2) periodically review all user access privileges and remove accounts and access that are no longer necessary; and (3) disable or securely configure all protocols permitting remote control of devices.
- The risk assessments required by Section 500.9 of the Proposed Amendments must (1) be conducted at least annually; (2) be tailored to the specific circumstances of the covered entity, including its size, staffing, governance, businesses, services, products, operations, customers, counterparties, service providers, vendors, other relations and their locations, as well as the geographies and locations of its operations and business relations; (3) include threat and vulnerability analyses; and (4) consider mitigations provided by existing security controls. Covered entities also must conduct an “impact assessment whenever a change in the business or technology causes a material change in the covered entity’s cyber risk.”
- A covered entity must implement multi-factor authentication for (1) remote access to the covered entity’s network and applications from which nonpublic information is accessible; and (2) all privilege accounts, except for service accounts that prohibit interactive login and for which the CISO has approved reasonably equivalent compensating controls.
- Covered entities must implement written policies and procedures designed to ensure a complete and accurate asset inventory, including policies and procedures that address (1) tracking key information for each asset (e.g., owner, location, classification or sensitivity, support expiration date, recovery time requirements); and (2) the frequency required to update and validate the asset inventory.
- A covered entity’s cyber program must include phishing training and exercises, as well as monitoring and filtering of emails to block malicious content.
- Covered entities must implement a written policy requiring industry-standard encryption to protect nonpublic information held or transmitted by the covered entity both in transit over external networks and at rest.
- A covered entity’s incident response plan, as required by Section 500.16 of the Proposed Amendments, must contain proactive measures to mitigate disruptive events (e.g., ransomware events) and ensure operational resilience.
- A covered entity must implement a business continuity and disaster recovery (“BCDR”) plan that (1) is designed to ensure the availability and functionality of the covered entity’s services, and protect the covered entity’s personnel, assets and nonpublic information in the event of an emergency or other disruption to its normal business activities; and (2) includes certain prescribed content, such as identification of data, personnel and infrastructure that are essential to continued operations, a communications plan for essential persons in the event of a disruption, and procedures for the maintenance of back-up infrastructure.
- A covered entity must (1) train relevant employees on its incident response and BCDR plans; (2) test (e.g., through tabletop exercises) its incident response and BCDR plans with all staff critical to the response; and (3) test its ability to restore its systems from backups.
- Covered entities must maintain backups that are isolated from network connections;
- In addition to notifying NYDFS within 72 hours of discovering a cybersecurity event that requires notice to any other supervisory body or has a reasonable likelihood of materially harming any material part of the covered entity’s operations, covered entities also must provide such notice for the following additional types of cybersecurity events: (1) where an unauthorized user gains access to a privileged account, or (2) ransomware is deployed within a material part of the covered entity’s information system.
- In the event of an extortion payment made in connection with a cybersecurity event, a covered entity must notify NYDFS within 24 hours of the payment and, within 30 days of the payment, provide a description of the reason(s) payment was necessary, the alternatives to payment that were considered, all diligence performed on alternatives to payment, and all diligence performed to ensure compliance with applicable rules (e.g., OFAC sanctions rules).
In addition, under the Proposed Amendments, a covered entity’s required annual certification of compliance with the Cybersecurity Regulations would need to be signed by the CEO and the CISO (or other individual responsible for the entity’s cyber program), rather than only by a senior officer. The Proposed Amendments also would allow covered entities to file, in lieu of such certification, an “acknowledgement” that the covered entity did not fully comply, along with a description of such non-compliance, and identification of all areas, systems and processes that require material improvement, updates or redesign.
The Proposed Amendments also would provide the following two clarifications with respect to potential penalties under the Cybersecurity Regulations: (1) the commission of a single act prohibited by the Cybersecurity Regulations, or the failure to satisfy an obligation required by the Cybersecurity Regulations, constitutes a violation (including “the failure to comply for any 24-hour period with any section or subsection” of the Cybersecurity Regulations); and (2) NYDFS will consider certain mitigating factors when assessing potential penalties, such as cooperation with NYDFS, good faith, whether the violation was intentional or deliberate, historical violations, whether the violation was isolated or systemic, any harm to consumers, involvement of senior management, and the gravity and number of violations. If adopted, the requirements in the Proposed Amendments would take effect in accordance with various prescribed schedules. For instance, many of the requirements would take effect 180 days from the date of adoption, while other requirements would not take effect until one year after adoption. The additional notification and certification requirements would take effect 30 days after adoption.