On November 9, 2022, the New York Department of Financial Services (NYDFS) released its second, proposed amendments to the Part 500 Cybersecurity Rule. The proposed amendments revise several aspects of the draft Cybersecurity Rule amendments released on July 29, 2022. These changes reflect several comments made in response to the draft Cybersecurity Rule to further clarify, strengthen and clarify various requirements, as highlighted below.
The following are some of the key changes in the proposed amendments:
The proposed amendments provides three new cybersecurity events that Covered Entities must report to NYDFS via the NYDFS online cybersecurity portal within 72 hours:
- Unauthorized access to privileged accounts;
- Deployment of ransomware within a material part of the Covered Entity’s systems; and
- Any cybersecurity event that affects a third-party service provider that also affects the covered entity.
Additionally, Covered Entities must provide NYDFS with any additional information requested by NYDFS related to the investigation of a cybersecurity event within 90 days of notice. The Covered Entity must also provide continuous updates and any supplementary information related to the investigation.
The proposed amendments provide a new notification requirement for ransomware payments. If a Covered Entity makes a ransomware payment, the Covered Entity is required to notify NYDFS within 24 hours of payment. When notifying NYDFS, a Covered Entity who makes a ransomware payment must also provide a written description of the payment within 30 days, describing why payment was necessary, what alternatives were available and all related diligence performed to ensure compliance with any applicable laws and regulations.
Revised Definition of Class A Companies
The proposed amendments now define Class A companies as Covered Entities with at least $20 million in gross annual revenue in-state in each of the past two fiscal years from business operations of the Covered Entity and its affiliates, and either: (1) possess more than 2,000 employees over the past two fiscal years, regardless of location, including those of both the Covered Entity and all of its affiliates, or (2) possess more than $1 billion in gross annual revenue in each of the past two fiscal years from all business operations of the Covered Entity and all of its affiliates. A Covered Entity who qualifies as a Class A company will also be subject to several additional compliance requirements under the proposed amendments, including an independent audit of at least annually by external auditor, the use of external experts to conduct risk assessments at least once every three years and implementation of an endpoint detection and response solution.
Penetration Testing, Vulnerability Assessments and Risk Assessments
The proposed amendments make significant changes to the technical requirements of the Cybersecurity Rule. Some of these changes include:
- Covered Entities must conduct penetration testing of their systems, internally and externally, by a qualified internal or external independent party at least annually.
- Covered Entities must have a monitoring process that ensures prompt notification of any new security vulnerabilities.
- Covered Entities must possess written policies and procedures for vulnerability management, mandate automated scans of systems and manually review systems not covered by these scans as frequently as determined by the risk assessment or promptly after any major system changes.
- Covered Entities must review and update their risk assessments at least annually, and whenever a significant change in business or technology causes a material change to their cyber risk.
The proposed amendments now require a Covered Entity to address new issues in their cybersecurity plans, including data retention, end of life management, remote access controls, systems monitoring, security awareness and training, application security, incident notification and vulnerability management.
The proposed amendments also require a Covered Entity to limit the number of accounts, access functions and actual use based on what is necessary for a user to perform their job. This includes a requirement that a Covered Entity periodically, or at least annually, review all user access privileges and remove or disable accounts that are no longer necessary (i.e., prompt termination of systems access following an employee’s departure).
The proposed amendments provide a new certification requirement that requires a Covered Entity to have their highest-ranking executive and CISO (or senior cybersecurity officer) sign an annual certification of compliance to NYDFS Part 500.
Incident Response and Business Continuity and Disaster Recovery Plan
The proposed amendments now require a Covered Entity to provide relevant training on its incident response plan and its business continuity and disaster recovery plan to all employees necessary to implement such plans. These plans must be tested at least annually, and must be distributed and accessible to relevant employees.
The proposed amendments require a Covered Entity to use multifactor authentication (MFA) for all remote access to systems, third-party applications and all privileged accounts. Alternatively, the CISO can approve the use of reasonably equivalent or more secured controls to replace MFA, in writing, which must be reviewed periodically and at least annually by the CISO.
The proposed amendments require a senior governing body to approve a Covered Entity’s cybersecurity policies and procedures for the protection of its systems and nonpublic information stored in systems, at least annually.
The proposed amendments also provide several requirements for CISOs, and provide them with the adequate authority to “ensure cybersecurity risks are appropriately managed.” Some of these requirements include timely reporting to the senior governing body regarding material cybersecurity issues (i.e., major cybersecurity events or updates regarding risk assessments) and reporting plans of remediation to address material inadequacies.
The proposed amendments also require a Covered Entity’s board of directors or equivalent (i.e., an appropriate committee of the board) to exercise oversight of cybersecurity risk management, including developing, implementing and maintaining cybersecurity programs. The board of directors or equivalent must possess sufficient expertise or knowledge, or be advised by persons with sufficient expertise or knowledge, to exercise oversight of cybersecurity risk management.
The 60-day public comment period to the proposed amendments ends on January 9, 2023, and members of the public are invited to submit comments here.