The New York State Department of Financial Services (NYDFS) recently published a revised proposed second amendment to its cybersecurity regulation, 23 NYCRR 500. We wrote about the first and second proposed amendments here and here, respectively. Below are some of the key changes in the most recent proposed amendment.

Cybersecurity Governance: CISO and Board Oversight

The most recent proposed amendment seeks to clarify the definition and role of a chief information security officer (CISO) as well as to make clear that the “senior government body” (as opposed to “board of directors or equivalent” in the previous proposed amendment) must have oversight of a covered entity’s cybersecurity program.

• Revised definition of CISO: Chief Information Security Officer or CISO means a qualified individual responsible for overseeing and implementing the covered entity’s cybersecurity program and enforcing its cybersecurity policy, who has adequate authority to ensure cybersecurity risks are appropriately managed, including the ability to direct sufficient resources to implement and maintain an effective cybersecurity program. §500.1(c).
  • NYDFS’s responses to public comments state that “Oversight does not mean direct supervision. Proper oversight requires the CISO to be involved, and the CISO cannot simply delegate a portion of that oversight responsibility to another staff member and not be involved. At a minimum, the CISO should be aware of what is being done by other persons with respect to the cybersecurity program and confirm that what is being done complies with the requirements contained in Part 500.”
• Revised obligation of CISO to report to senior governing body: The CISO shall timely report to the senior governing body on material cybersecurity issues, such as significant updates to the covered entity’s cybersecurity risk assessment or significant cybersecurity events. §500.4(c) (emphasis added).
  • NYDFS added “significant” and “significant cybersecurity” as qualifiers to the types of items a CISO must report to the board to clarify that nonmaterial cybersecurity issues or changes do not need to be reported to the senior governing body.
• Responsibilities of the senior governing body:
  • The senior governing body of the covered entity shall: (1) exercise effective oversight of the covered entity’s cybersecurity risk management; (2) have sufficient understanding of cybersecurity-related matters to exercise such oversight, which may include the use of advisors; and (3) require the covered entity’s executive management or its designees to develop, implement and maintain the covered entity’s cybersecurity program. §500.4(d).
    • The proposed revision replaced “board of directors” with “senior governing body” in response to comments that covered entities should have greater leeway in how they organize their boards and how those boards conduct risk management.
    • The proposed revision deleted language requiring the board of directors to “provide direction to management on” cybersecurity risk management to address comments that boards ought to provide oversight only, rather than direct management.
    • The proposed revision also makes clear that cybersecurity experts are not required on the board but that board members should have sufficient understanding of cybersecurity issues to exercise oversight and that the use of advisors to achieve this oversight is permitted.

Risk Assessments

The most recent proposed amendment narrows the definition of risk assessment and removes a requirement that Class A companies use external experts to conduct a risk assessment once every three years.

• Revised definition of risk assessment: Risk assessment means the process of identifying, estimating and prioritizing cybersecurity risks to organizational operations (including mission, functions, image and reputation), organizational assets, individuals, customers, consumers, other organizations and critical infrastructure resulting from the operation of an information system. Risk assessments incorporate threat and vulnerability analyses and consider mitigations provided by security controls planned or in place. §500.1(o).
  • In response to comments and to align with the definition of the term used in publications from NIST, NYDFS removed the portion of the definition that was found in the previous proposed amendment that stated “[r]isk assessments shall take into account the specific circumstances of the covered entity, including but not limited to its size, staffing, governance, businesses, services, products, operations, customers, counterparties, service providers, vendors, other relations and their locations, as well as the geographies and locations of its operations and business relations.”
• Responding to comments that the requirement would be burdensome and was ill-advised, the proposed amendment removed a requirement that Class A companies use external experts to conduct a risk assessment once every three years.

Security Controls

This proposed amendment revised the requirement for Class A companies to implement an automated method of blocking commonly used passwords. Now the amendment only requires this for all accounts on systems owned or controlled by the Class A company and wherever feasible for all other accounts. This change was proposed in response to comments that this requirement, as previously written, might be infeasible for third-party applications and services.

Revised MFA requirement: The proposed amendment strengthened the multi-factor authentication (MFA) requirement but revised the qualified exemption applicable to some small companies. Under the second proposed amendment, MFA would be required for any individual accessing any of the covered entity’s information systems. For small companies that qualify for an exemption, MFA would be required for: (1) remote access to the covered entity’s information systems; (2) remote access to third-party applications, including but not limited to those that are cloud based, from which nonpublic information is accessible; and (3) all privileged accounts other than service accounts that prohibit interactive login.

• Compensating controls: If the covered entity has a CISO, the CISO may approve, in writing, the use of reasonably equivalent or more secure compensating controls, and such controls must be reviewed periodically, at least annually. §500.12.

Incident Response and BCDR Plans

• Root cause analysis: At the suggestion of commenters, the revised proposed amendment now adds an affirmative requirement that a covered entity’s incident response plan must include preparing a “root cause analysis that describes how and why the event occurred, what business impact it had, and what will be done to prevent reoccurrence.” §500.16(a)(1)(ix).

• BCDR plans: There are also updates to the requirements around business continuity and disaster recovery (BCDR) plans, including specifying the BCDR plans should include procedures to enable the timely recovery of “critical data and information systems” rather than “data and documentation.” The revised proposed amendment additionally specifies that covered entities must maintain “backups necessary to restoring material operations” that are “adequately protected from unauthorized alterations or destruction.” §500.16(a)(2).

Notice Requirements

The previous version of the proposed amendment required covered entities to provide the superintendent with any information requested regarding the investigation of a cybersecurity event within 90 days of the notice of the event. In response to commentors expressing concern that this deadline could be difficult to meet, NYDFS dropped the 90-day requirement. This provision now reads: “Each covered entity shall promptly provide any information requested regarding such [reportable cybersecurity] event. Covered entities shall have a continuing obligation to update and supplement the information provided.” §500.17(a)(2).

The new proposed amendment, like the previous version, requires covered entities to notify the superintendent within 72 hours from a determination that a cybersecurity event in which an unauthorized user has gained access to a privileged account has occurred. In response to comments that the previous definition of privileged account was too broad when read in conjunction with this notification requirement, the new proposed amendment removed from the definition of privileged account an account that can be used to effect a material change to the technical or business operations of the covered entity.

• Revised definition of privileged account: Privileged account means any authorized user account or service account that can be used to perform security-relevant functions that ordinary users are not authorized to perform, including but not limited to the ability to add, change or remove other accounts, or make configuration changes to information systems to make them more or less secure. §500.1(m).

Under the prior proposed amendment, covered entities were required to submit to the superintendent annually a written acknowledgment that identified all areas, systems and processes that required material improvement, updates, or redesign. Commentors expressed concern that delivering this list to NYDFS would pose a security risk as it would give bad actors a list of prime targets for a cyberattack. Others commented that this notification requirement was overly burdensome. In response, NYDFS removed this notification requirement in this most recent proposed amendment, which instead requires this information to be available for examination and inspection at the request of NYDFS.

What’s Next and What You Can Do Now

NYDFS will review all public comments to the revised second amendment. NYDFS has not announced whether it will propose additional revisions or will finalize the updated regulation, nor has NYDFS announced a timeline for either.

In the meantime, companies can prepare for the updated regulation now by doing the following:

• Implement MFA: If you don’t already have MFA enforced on privileged and administrator accounts as well as for remote access to company systems (including email), now is the time to implement it.

• Understand and Practice Roles of the CISO and Senior Governing Body: Prior to a cybersecurity event occurring, it’s important to have reviewed and practiced (usually through a tabletop exercise) your organization’s incident response plan. This will help your organization understand the process of declaring an incident, escalating the incident to the right people, and reporting to the Senior Governing Body, if necessary. When key stakeholders within an organization understand their roles prior to an incident, they will be better equipped to help the company respond effectively when a cybersecurity event does happen.
• Conduct a Risk Assessment: You should already be conducting at least annual risk assessments. While the revised second amendment aligns with language from NIST, the regulation does not mandate any particular risk framework that a company should follow. Regardless of which framework a company adopts, its risk assessments must now take into consideration more than just technical operational impacts. NYDFS makes clear that impacts to an organization’s mission, functions, image, and reputation are important as well and must be considered as part of the annual risk assessment.

These are all parts of a robust cybersecurity program. Taking action now will place your organization ahead of the game before the amended regulation is final.

[View source.]