Already an industry leader in establishing cybersecurity standards, on November 9, 2022, the New York Department of Financial Services (“NYDFS”) officially published proposed amendments to 23 NYCRR 500 (“Part 500”), the Department’s “Cybersecurity Requirements for Financial Services Companies,” that would once again raise the bar for the financial sector. Following on its preview of the changes in July 2022, the new amendments, if adopted, would strengthen cybersecurity oversight obligations; create new stringent requirements for larger financial institutions; establish heightened standards for data protection, access, and incident response; and impose a new 24-hour reporting requirement for ransomware payments. Interested parties have 60 days to submit comments to NYDFS.
Part 500 Background
Part 500 currently requires all “Covered Entities” to develop and implement a written cybersecurity policy approved by company leadership. Covered entities include “any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law and the Insurance Law or the Financial Services Law,” with exceptions for small institutions. The cybersecurity obligations extend to fintech and cryptocurrency companies operating pursuant to a BitLicense under 23 NYCRR 200. Written policies need to be based on a risk assessment and, at minimum, include provisions for continuous monitoring, asset inventory, access controls, privacy protections, and incident response. Part 500 requires companies to appoint a qualified Chief Information Security Officer (“CISO”), or contract with a qualified third party, to oversee the program.
The amendments build on Part 500 by adding specificity and mandating certain practices. A majority of the amendments apply to all Covered Entities, but some would only impact a new subset of larger financial institutions—“Class A companies”—that have $20 million in gross annual revenue in each of the last two fiscal years, and either 2,000 employees or over $1 billion in gross revenue in each of the last two fiscal years from all business operations of the Covered Entity and its affiliates.
Increased Responsibility for Corporate Leadership
Where Part 500 requires cybersecurity policies to be approved by a senior corporate officer, the amendments specify that approval must be by a company’s “senior governing body” at least annually. To ensure appropriate oversight, the amendments would require boards of directors, or their equivalent, to have “sufficient expertise and knowledge, or be advised by persons with sufficient expertise and knowledge, to exercise effective oversight of cyber risk.” The amendments do not specify what expertise or knowledge would be sufficient, but presumably the board or their advisors would need to have prior cybersecurity experience. A senior officer or the senior governing body of an entity would need to approve cybersecurity policies on an annual basis and boards will be required to afford CISOs the independence and authority necessary to manage cybersecurity risks. CISOs would be required to report annually to the board on cybersecurity readiness and report on any material cybersecurity issues within a timely manner.
The amendments would require corporate leadership to annually certify to NYDFS whether the company’s cybersecurity program is in compliance with the regulations. Certifications must be signed by a covered entity’s CEO and CISO and be based on “data and documentation” sufficient to demonstrate full compliance, such as reports, certifications, and schedules created by officers and outside vendors. In the event of any noncompliance, the certification must identify applicable regulatory provisions and what systems or processes require material improvement, update or redesign to address those deficiencies.
Covered entities are currently required to notify the NYDFS superintendent within 72 hours of a cybersecurity incident if either the company is responsible for notifying any governmental body or if the incident has a reasonable likelihood of harming a covered entity’s normal operations.
The amendments would require notification when a cybersecurity incident results in unauthorized access to a privileged account or the deployment of ransomware within a material part of the company’s information system. A privileged account is an authorized user account that can perform security-level functions not available to regular accounts or that can be used to make material changes to the technical or business operations of the company. Companies would also be required to notify the superintendent within 24 hours of an extortion payment and to follow-up within 30 days with a written description why the payment was necessary, any alternatives considered, and all due diligence performed.
Data Access Privileges
The amendments add additional complexity to the existing requirements to limit user-access privileges to information systems containing nonpublic information. Access would be limited based upon the user’s job functions, and the number of privileged accounts that perform “security-relevant functions” would be limited.
The amendments would require multi-factor authentication to be used for all remote access and all privileged accounts. If passwords are used as one method of authentication, then all covered entities need to ensure that “strong, unique passwords are used.”
Class A companies must also “monitor privileged access activity” and implement password vaulting for privileged accounts and deploy an automated method of blocking commonly used passwords unless the CISO approves in writing a reasonable equivalent or more secure method of controlling access.
The amendments would require risk assessments to be updated annually and whenever a “change in the business or technology causes a material change to the covered entity’s cyber risk.” Class A companies would be required to use an external expert to conduct the risk assessment at least once every three years.
Asset Inventory Documentation
The amendments would add new requirements for all covered entities to “implement written policies and procedures designed to ensure a complete, accurate, and documented asset inventory.” Proposed asset inventories must include all information systems, hardware, operating systems, applications, infrastructure devices, APIs and cloud services used by the institution and must track key information regarding each asset, including the owner, location, classification or sensitivity, support expiration date, and recovery time requirements.
While all covered entities are required to include in their cybersecurity programs written incident response plans, under the amendments, plans must include “proactive measures to investigate and mitigate disruptive events and ensure operational resilience.” Updated plans must also include business continuity and disaster recovery provisions reasonably designed to ensure the availability and functionality of the company’s services and that protect personnel and nonpublic information. At minimum, continuity plans must:
- identify documents, data, facilities, infrastructure and personnel essential to continued operations;
- identify supervisory personnel responsible for a business continuity plan;
- include a communication plan that includes employees, counterparties, authorities, third-party service providers, disaster recovery specialists, the senior governing body, and any other essential personnel;
- include procedures for maintaining a backup facility and alternative staffing to ensure operations resume as soon as reasonably possible;
- include procedures for the back-up, copying, and storing of information “offsite,” “with sufficient frequency” documents and data essential to business operations.
Companies would be responsible for distributing the written plan to all relevant employees and ensuring that they are trained in implementing the plans. Plans, including the ability to restore systems from backups, would be required to be tested and revised periodically.
The amendments clarify that a violation of Part 500 includes an act prohibited by the regulations or “failure to act to satisfy an obligation” required by the rules. Failure to act would include:
- failing to secure or prevent unauthorized access to an individual’s or an entity’s nonpublic information due to noncompliance with the act; or
- failing to comply for any 24-hour period with any section of the regulation.
In assessing a penalty, the Department may consider a number of factors, including the number of violations, any history of violations, the extent of harm to consumers, the length of non-compliance, and “such other matter as justice and the public interest require.”
The amendments demonstrate that NYDFS continues to prioritize cybersecurity compliance, and will continue to be at the forefront of developing cyber regulations. And NYDFS has already shown that it is willing to aggressively pursue companies for failing to meet cybersecurity requirements, including high-profile crypto currency companies. Should the revised regulations go into effect, financial services companies will need to evaluate current cybersecurity policies and technology. This is particularly important for the major new obligations, which include reporting requirements related to ransomware, business continuity requirements, increased annual certification requirements, and increased cyber experience for boards and governing bodies.
Companies will have 180 days to comply with most provisions and will need to be prepared to comply with new notification requirements within 30 days of the amendments going into effect. Company control groups will further need to ensure that they have the appropriate expertise and structures in place to comply with the accountability measures included in the amendments. Given that the amendments currently require additional infrastructure, such as offsite data storage and, for Class A companies, third-party risk assessments, companies may need to plan for additional cybersecurity budgetary needs.