Last month, as the New York State Department of Financial Services (“DFS”) began phasing in amended cybersecurity regulations and continued enforcement actions against noncompliant entities, a wave of ransomware attacks roiled several high-profile businesses. The concurrent developments underscore the need for vigilance, not only in response to savvy threat actors, but with respect to a rapidly evolving regulatory scene.
On November 1, 2023, DFS amended its cybersecurity regulations, which apply to the financial services industry, including New York branches of foreign banks. We previously previewed the key amendments. Cybersecurity and a rash of ransomware attacks dominated headlines through the rest of the month. November 2 was the threatened deadline for Boeing to pay a ransom to hacker group LockBit, which eventually published the aerospace juggernaut’s data online. On November 9, the international law firm Allen & Overy announced a compromise of its storage servers by the same threat actor. The same day, the U.S. arm of the Industrial and Commercial Bank of China (“ICBC”)—the world’s largest commercial bank by total assets—also suffered a ransomware attack by LockBit, causing turbulence on the U.S. Treasury market. On November 13, the hacker group claimed receipt of ICBC’s ransomware payment. And on the enforcement front, on November 28, DFS announced a $1 million settlement with First American Title Insurance Company for failing to implement an effective cybersecurity policy or to control unauthorized users’ access to its sensitive information.
Continuing activity by threat actors may have complex interactions with the phased implementation of DFS’s amended regulations. DFS has announced a multi-stage implementation timeline, through November 1, 2025. The Department has allocated more time for implementing requirements more technical in nature, including mandatory multi-factor authentication. New cybersecurity incidents may therefore be subject to some of DFS’s additional requirements but not others, depending on when those incidents occur.
Most urgently, covered entities have until December 1, 2023, “to comply with” the new requirement to report and explain extortion payments, which will now require reporting of why a ransomware payment was necessary and a description of alternatives to payment considered, including related due diligence. The amendment does not expressly address whether ransomware payments must be reported if they were paid after the amendment took effect on November 1, 2023, but before December 1. And DFS’s implementation timeline does not appear to shed light on the question.
Looking forward, another key deadline will be April 15, 2024, when covered entities must file annual certifications of “material” compliance with the cybersecurity regulations—or, alternatively, acknowledgments of material noncompliance. Under the amended regulations, certification or acknowledgment must be both by the chief information security officer and the covered entity’s highest-ranking executive. During the notice-and-comment period for the amendments, a concern by commentators involved ambiguity over who an entity’s highest-ranking executive would be, such as for a corporate subsidiary. Covered entities should therefore determine what their annual certifications require in advance of the April 15 deadline.
We will continue reporting on the implementation of the new regulations and cybersecurity developments more broadly.