This is our sixth and final post in a series analyzing major proposed changes in the New York Department of Financial Services (“NYDFS”) Cybersecurity Regulation. (If you missed them, we posted previously on changes to risk assessments, policies and procedures, role of the CISO, board and officer liability, and the impact on large companies.) This post focuses on violations and cybersecurity events, and sets forth exemptions and mitigating factors you may be able to use.
The NYDFS appears to be very serious about enforcement. For example, revised Section 500.20(b) makes clear that commission of even a single prohibited act will constitute a violation. Thus, any information security incident that allows access to -- or fails to secure -- nonpublic information, or any non-compliance with the Cybersecurity Regulation that is not corrected within 24 hours can lead to liability. Although this appears to be an extreme requirement, it is in line with recent NYDFS enforcement against EyeMed – where good faith filings and lack of awareness of non-compliance did not constitute a defense.
Section 500.20(c) addresses the penalties for violating the Cybersecurity Regulation, and lists fifteen mitigating factors that may impact the penalty. A covered entity responding to a violation or cyber event should consider incorporating these mitigating factors into its reports to NYDFS. It is unclear how these factors will be used in calculating potential penalties for non-compliance. To date, NYDFS has calculated non-compliance on a per day basis, and negotiated from that point. Section 500.20(c) seems to provide covered entities with a map for such negotiations.
Section 500.19 addresses certain exemptions to the Cybersecurity Regulation requirements. In practice, “exempt” under the Cybersecurity Regulation means “partially exempt,” so an exempt entity would still need to comply with numerous provisions of the Cybersecurity Regulation to remain in compliance. The proposed changes in 500.19(a) increase the threshold requirements for exempt companies to include entities that have fewer than 20 employees (previously 10) and less than $15M in year-end assets (previously $10M). And the number of employees has been clarified to include independent contractors of a company’s affiliates, regardless of location. With this expanded definition, some companies will no longer be exempt. Perhaps most important, whether or not a covered company is “exempt” under Section 500.19, covered companies will still be required to implement a multi-factor authentication (MFA) process for remote access and privileged accounts. Companies implementing MFA may of course, need to purchase new technologies, and the process is likely to impact IT workflows and operations. The MFA requirement follows NYDFS and other regulatory guidance that sees MFA as a key control to prevent breaches.
The proposed changes also include updates to the notice requirements for different triggering events (Section 500.17). Section 500.17(a) now requires notice to NYDFS in a cybersecurity event where an unauthorized user has gained access to a privileged account, or has resulted in ransomware within a material part of the company’s information systems. Covered entities were already reporting ransomware incidents to the NYDFS if there was actual material harm. However, the proposed language does not distinguish between ransomware attacks that create material harm and ransomware attacks that do not result in damage. Effectively, under the proposed revisions, the covered entity would need to report all ransomware incidents to the NYDFS. Similarly, although unauthorized access to a privileged account may not automatically result in harm to a company’s systems, under the proposed language the covered entity would nonetheless have to report any unauthorized privileged account access.
You can read the full text of the proposed changes here.