NYDFS Announces Draft Amendments to Cybersecurity Regulation

Ballard Spahr LLP
Contact

Ballard Spahr LLP

On July 29, 2022, the New York Department of Financial Services (“NYDFS”) released Draft Amendments to its Cyber Security Regulations.  The Amendments, if adopted, would further regulatory trends and impose important new requirements on covered entities.

The Amendments contain three significant changes relating to ransomware.  First, the Amendment specifically adds “the deployment of ransomware within a material part of the covered entity’s information system” as a cybersecurity event requiring notice to the superintendent within 72 hours.  Under the current regulations, 72-hour notice would only be required if the ransomware required notice to another governmental body or had a reasonable likelihood of materially harming any material part of normal operations.  Second, the Amendment would also require covered entities to notify the superintendent within 24 hours of making an extortion payment.  And finally, the Amendment would require covered entities to provide within 30 days a written description of the reasons payment was necessary, a description of alternatives to payment considered, all diligence performed to find alternatives to payment, and all diligence performed to ensure compliance with applicable rules and regulations including those of the Office of Foreign Assets Control.  If passed, this third component would represent a significant new obligation for covered entities, potentially changing the manner in which companies document ransomware responses.

In addition to the ransomware changes, the Amendments would also require, among other things: (1) multi-factor authentication for all privileged accounts, as well as for remote access to the network and enterprise and third-party applications from which nonpublic information is accessible; (2) increased expectations for board expertise; (3) significant restrictions on privileged accounts; and (4) annual independent cybersecurity audits for larger entities.  The Amendments have a short comment period ending on August 8, 2022, followed by the publishing of the official proposed amendments, after which a 60-day comment period will occur.

Given the comment periods that will occur, it is premature to speculate as to the final form of the Amendments.  However, based on the draft Amendments, it is safe to say that the NYDFS seems to be following the trend towards increased regulatory scrutiny.  Covered entities should start assessing how significant the changes would be to comply.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Ballard Spahr LLP | Attorney Advertising

Written by:

Ballard Spahr LLP
Contact
more
less

Ballard Spahr LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.