Newly proposed amendments to the New York Department of Financial Services' (NYDFS) already-comprehensive cybersecurity rules would impose heightened cybersecurity requirements on large financial institutions and additional compliance obligations on all entities covered by the rules. More significantly, some of the proposed amendments, as detailed below, signal potential new avenues of regulatory scrutiny and enforcement.
First proposed in 2016, and made fully effective in 2019, the Cybersecurity Requirements for Financial Services Companies (also known as "Part 500") apply to New York–chartered banks, insurance companies that do business in New York, and other types of financial services firms that are licensed by the NYDFS (known as "covered entities").
The proposed amendments would impose new obligations on covered entities that have over 2,000 employees or a gross annual revenue averaging more than $1 billion over the last three fiscal years. The amendments also would, among other changes detailed in this article, impose new obligations on covered entities' boards of directors and Chief Information Security Officers (CISOs), and require covered entities to electronically notify the NYDFS Superintendent within 72 hours of incidents involving ransomware and unauthorized access to newly defined "privileged accounts."
The amendments forecast potentially increased regulatory focus on covered entities' extortion payments in response to ransomware or other attacks. They would require covered entities to notify the NYDFS within 24 hours of making extortion payments and later follow up with a detailed justification of why the entity made the payment.
The amendments are currently open for comment until August 8, 2022, but a new 60-day comment period will commence once the NYDFS formally submits them as proposed regulations.
New Entity Classification and Obligations
The proposed amendments create a new category of "Class A" companies, which are defined as covered entities with over 2,000 employees or gross annual revenue averaging more than $1 billion over the last three fiscal years. The new regulations would also place a number of obligations on Class A companies, including requirements to:
- Conduct annual independent audits of their cybersecurity programs;
- Conduct systemic scans or reviews at least weekly;
- Monitor privileged account access activity and, unless otherwise approved by the CISO in writing, implement a password vaulting solution for privileged accounts and an automated method of blocking commonly used passwords;
- Use external experts to conduct risk assessment at least once every three years;
- Implement, unless otherwise approved by the CISO in writing, an endpoint detection and response solution to monitor anomalous activity, including but not limited to lateral movement, and a solution that centralizes logging and security event alerting.
Additional Board Oversight
The proposed amendments also emphasize the importance of involving the board of directors in cybersecurity matters. To that end, the amendments would create additional obligations for board members relating to cybersecurity oversight.
Specifically, the proposed amendments would require the board to:
- Approve cybersecurity policies at least annually;
- Require the covered entity's executive management to develop, implement, and maintain the covered entity's information security program;
- Possess sufficient expertise and knowledge, or be advised by persons with sufficient expertise and knowledge, to exercise effective oversight of cyber risk.
In addition, material gaps in the covered entity's cybersecurity practices that are identified during testing must be documented and reported to the board and senior management.
New Obligations for CISOs
The proposed amendments would also obligate covered entities' CISOs to:
- Possess independence and authority adequate enough to ensure the appropriate management of cybersecurity risks;
- Include plans for remediating inadequacies identified in the cybersecurity program in the required annual board report;
- Report to the board regarding "material cybersecurity issues," which are described in the proposed amendments as including updates to the covered entity's risk assessment or major cybersecurity events;
- Annually review the feasibility of encryption and the effectiveness of the compensating controls.
In addition, the amended regulations would require the CISO and the CEO to annually sign a document certifying that the entity complied with the regulations. Alternatively, both would be required to sign a document acknowledging that the covered entity did not fully comply with all the requirements of the regulations. This acknowledgment would have to identify all the provisions of the regulations that the entity has not fulfilled, and the nature and extent of such noncompliance. The acknowledgment also would be required to identify all areas, systems and processes that require material improvement, updating or redesign.
New Notification Requirements
The proposed amendments would require covered entities to electronically notify the NYDFS Superintendent within 72 hours of:
- Cybersecurity events in which an unauthorized user gained access to a "privileged account," defined as any user or service account that can (a) perform security-related functions ordinary users are not authorized to perform, or (b) affect a material change to the technical or business operations of the covered entity, or
- Cybersecurity events that resulted in the deployment of ransomware within a material part of the covered entity's information system.
Covered entities, in the event of an extortion payment made in connection with a cybersecurity event, would be required to provide the NYDFS Superintendent with:
- Notice of having made an extortion payment within 24 hours of making that payment, and
- Within 30 days of the extortion payment, a written description of the reasons payment was necessary, a description of alternatives to payment considered, all diligence performed to find alternatives to payment, and all diligence performed to ensure compliance with applicable rules and regulations, including those of the Office of Foreign Assets Control.
New General Compliance Obligations
- Asset Management: All covered entities would be required to document and maintain an asset inventory that tracks key information for each asset, among other things. [500.13(a)]
- Business Continuity and Disaster Recovery (BCDR) Plan: All covered entities would be required to develop BCDR plans, ensuring they can continue to provide services in the event of an emergency or other disruption. The BCDR plan would have to include, among other things, procedures for backing up or copying operationally essential documents and data, and storing such information offsite.
- Training: All covered entities would be required to provide training to all employees responsible for implementing the BCDR and incident response plans regarding their roles and responsibilities.
- Testing: All covered entities would be required to periodically test their incident response plan, their BCDR plan, and their ability to restore systems using back-ups.
Violations and Penalties
The amendments clarify that the failure to secure or prevent unauthorized access to an individual's or an entity's nonpublic information due to noncompliance with any section of the regulations or the failure to comply for any 24-hour period with any section or subsection of the regulations constitutes a violation.
The amendments also specify the factors that the NYDFS would be required to consider when assessing penalties for violations, which include:
- The extent to which the covered entity has cooperated with NYDFS in its investigation;
- Good faith of the covered entity;
- Whether the violations resulted from conduct that was unintentional or inadvertent, reckless, or intentional or deliberate;
- Whether the violation was a result of the covered entity failing to remedy previous examination matters requiring attention, or failing to adhere to any disciplinary letter, letter of instructions, or similar;
- Any history of prior violations;
- Whether the violation involved is an isolated incident, whether the covered entity has committed repeat violations or systemic violations, or whether it has been involved in a pattern of violations;
- Whether the covered entity provided false or misleading information;
- The extent of harm to consumers;
- Whether required, accurate, and timely disclosures were made to affected consumers;
- The gravity of the violations;
- The number of violations and the length of time over which they occurred;
- The extent, if any, to which the senior governing body participated in committing the violations;
- Any penalty or sanction imposed by any other regulatory agency;
- The financial resources, net worth, and annual business volume of the covered entity and its affiliates; and
- Other matters required by justice and the public interest.
The proposed amendments significantly expand the already-exhaustive NYDFS cybersecurity rules and demonstrate the agency's commitment to having all covered entities address cybersecurity issues at the highest levels of management. Particularly notable is the agency's interest in ransomware payments, suggesting that the NYDFS intends to scrutinize payment decisions and may consider enforcement actions for payments it views as unjustified or improper. Covered entities would do well to familiarize themselves with the amendments and be prepared for compliance if the amendments are adopted.
The pre-proposal comment window closes August 8, but the NYDFS will field comments from interested stakeholders for a 60-day period that will commence in the next few weeks. If your institution might be impacted by these regulations, you should consider submitting comments to NYDFS.
DWT's Privacy and Security team advises institutions on compliance with the NYDFS Cybersecurity Regulations and will continue to monitor developments relating to these proposed amendments.