The New York Department of Financial Services (“DFS”) released their proposed second amendment to the Cybersecurity Regulation, 23 NYCRR Part 500 (“Proposed Second Amendment”) on October 9, 2022. DFS issued a minor amendment on April 2, 2020, revising the certification of compliance date (from February to April). The Proposed Second Amendment follows DFS’s “pre-proposed” draft from July 2022, and largely tracks those requirements, with a handful of changes identified below. While the language proposed is not surprising and generally aligns with DFS’s prior guidance and enforcement actions (and is still subject to a 60-day comment period), the enhanced requirements will impose significant cybersecurity obligations on covered entities if adopted. As Superintendent Adrienne A. Harris noted in her announcement of the Proposed Second Amendment, “Cyber criminals go after all types of companies, big and small, across industries, which is why all of our regulated entities must comply with these standards – whether a bank, virtual currency company, or a health insurance company.”
Below we outline some of the key takeaways from the Proposed Second Amendment, which are material changes from the existing Cybersecurity Regulation:
- Operationalize Cybersecurity Policy (§ 500.3). DFS not only requires covered entities to maintain written information security policies (which must continue to be informed by the covered entity’s risk assessment), but, now, the Proposed Second Amendment would require covered entities to also document how such policies are operationalized. Developing, documenting, and implementing procedures in accordance with the covered entity’s cybersecurity policy may be a considerable undertaking and require regular oversight and updating (as policies evolve).
- Data Retention (§ 500.3). The Proposed Second Amendment explicitly requires covered entities to develop retention policies. DFS stops short, however, of offering guidance as to the length of appropriate retention periods.
- Cybersecurity Governance (§ 500.4). DFS has signaled that cybersecurity does not stop with a cybersecurity department – it must reach the most senior levels of a covered entity. For example, the Proposed Second Amendment would require covered entities with a board of directors or equivalent to “have sufficient expertise and knowledge, or be advised by persons with sufficient expertise and knowledge, to exercise effective oversight of cybersecurity risk management.” Part and parcel with this requirement – the CISO of a covered entity would be required to not only report on cybersecurity issues to the covered entity’s senior governing body (which is included in the current Cybersecurity Regulation), but must also have adequate authority to manage cybersecurity risks appropriately.
- Vulnerability and Penetration Testing Requirements (§ 500.5). The Proposed Second Amendment would require covered entities to develop and implement written policies and procedures for vulnerability management which, at a minimum, ensure that covered entities conduct penetration testing of information systems from both inside and outside the boundaries at least annually by a “qualified internal or external independent party at least annually.” Interestingly, the pre-proposed draft specified that the penetration testing be conducted by an “independent party,” not necessarily an external or internal party. It is unclear how DFS defines (or will define) who a “qualified internal independent party” may be. DFS will also require a monitoring process in place for emerging threat intelligence and timely remediation of any identified vulnerabilities.
- Access Controls (§ 500.7). In the Proposed Second Amendment, DFS adds prescriptive access control requirements, including: (1) Explicit access controls required to limit access to nonpublic information to those “need to know” users and (2) Affirmative obligation to review, at least annually, user access privileges.
- Multi-factor Authentication (MFA) (§ 500.12). DFS is taking a significant departure from its prior MFA requirement, pivoting away from the “external access to internal network” distinction (e.g., MFA “shall be utilized for any individual accessing the covered entity’s internal networks from an external network”), the Proposed Second Amendment stipulates that MFA (with limited exceptions) is required for any: (1) remote access to information systems; (2) remote access to third party applications from which nonpublic information is accessible (including cloud-based applications); and (3) all privileged accounts. This is a major change from the prior MFA requirement and even the July 29, 2022 pre-proposed draft amendment. The Proposed Second Amendment does retain the “compensating control” exemption, allowing covered entities to implement reasonably equivalent or more secure compensating controls if approved by the CISO, which was something the pre-proposal had removed.
- Asset Management (§ 500.13). Perhaps one of the most significant changes to the Cybersecurity Regulation in the Proposed Second Amendment is the requirement to maintain policies and procedures “to ensure a complete, accurate and documented asset inventory,” which shall include a method to track key information for each assist, including the (i) owner, (ii), location, (iii) classification or sensitivity, (iv) support expiration date, and (v) recovery time requirements.” This new requirement is not limited to certain assets, such as corporate-owned devices or certain assets accessing NPI. DFS seems to build off of the existing requirement to maintain an asset inventory policy (§ 500.3(c)), to offer more prescriptive asset management requirements, emphasizing the importance of maintaining visibility of the covered entity’s assets and potential vulnerability.
- Stronger Emphasis on Encryption (§ 500.15). The current cybersecurity regulation requires covered entities to implement controls to protect NPI at rest and in transit, including encrypting NPI (unless infeasible). Under the Proposed Second Amendment, covered entities are required to implement encryption (that meets industry standards), not the previously utilized broad-based “controls.” And while DFS has maintained the infeasibility exception for encryption at rest (allowing effective alternative compensating controls), there is no such carve out for encryption of NPI in transit.
- Incident Reporting (Ransomware and Extortion Payments) (§ 500.17). As in its pre-proposal, DFS has maintained the requirement that covered entities notify DFS within 24 hours of any extortion payment and, within 30 days, a written explanation of the reasons payment was necessary, a description of alternatives to payment considered, all diligence performed to find alternatives to payment, and all diligence performed to ensure compliance with applicable OFAC rules. This reporting requirement will undoubtedly walk alongside any considerations of the attorney-client privilege in conducting an investigation into a cyberattack. DFS will also require notice if ransomware is deployed within “a material part of the covered entity’s information system,” though the term “material” remains undefined.
- Business Continuity Plan (§ 500.16). Under the Second Proposed Amendment, covered entities would be required to maintain a comprehensive business continuity and disaster recovery (BCDR) plan, in addition to an incident response plan (IRP), provide training to all responsible employees, and test the plans on a periodic basis. (§ 500.16(a)(2)). DFS requires that BCDR plans include minimum information, like identifying documents/systems/personnel that are critical to continue operations, as well as procedures for maintaining back-ups. Covered entities must also establish a communication plan for essential persons, which include not only employees of the covered entity, but third party service providers, disaster recovery specialists, regulatory authorities and document recovery persons.
- Class A Companies. Class A Companies, which are those with at least $20M in gross annual revenue and: (1) have over 2,000 employees or (2) over $1B in gross annual revenue, are subject to additional requirements. For example, they must complete a risk assessment by an external expert every three years (§ 500.9(d)); have a privileged access management solution and automated method of blocking commonly used passwords (§ 500.7(b)); and utilize endpoint detection monitoring and a solution to centralize logging and security event reporting (§ 500.14(b)).
- Enforcement/Compliance. Importantly, DFS would consider a single act or any failure to comply with any portion of the regulation for a 24-hour period to be a violation of the Cybersecurity Regulation. While DFS will consider “the length of time over which [the violation] occurred,” suggesting that DFS may be more lenient for a violation over a very short period of time, as compared to an extended period, it seems untenable. For example, vulnerability scans and penetration tests frequently identify certain vulnerabilities and while the Proposed Second Amendment states that vulnerabilities must be remediated in a “timely” fashion, it is unclear what those timeframes may be. Accordingly, covered entities may find it difficult to not violate the regulation over a 24-hour period, without further guidance on various aspects of the regulation.
DFS continues to lead the “cyber regulatory way,” and the Proposed Second Amendments are no different. The 60-day comment period ends January 9, 2023 and with a planned phased rollout beginning 180 days from the effective date of the Proposed Second Amendment.