On November 1, 2023, the New York State Department of Financial Services (“DFS”) amended its cybersecurity regulations to institute additional standards and controls aimed at securing sensitive data among the financial services industry. The amendments require more robust governance, additional controls to prevent and mitigate cyber-attacks, enhanced risk and vulnerability assessments, rapid notification for ransomware attacks, and new training for personnel. DFS’s cybersecurity regulations were the first in the nation to mandate a comprehensive program of technical and governance standards for financial firms. According to Governor Kathy Hochul, the new amendments will further ensure “that financial institutions have the safeguards in place to protect vital customer data and maintain the integrity of our financial system.”

The amendments revise DFS’s original requirements in the following areas:

  • Governance
  • Self-Assessment and Enhanced Control Measures
  • Prevention and Mitigation of Cyber-Attacks
  • Ransomware

Governance

The amendment places additional requirements on a covered entity’s Chief Information Security Officer (“CISO”) by requiring CISOs to timely report “material cybersecurity issues” to their company’s senior governing body or officers. Such issues include “significant cybersecurity events and significant changes to the covered entity’s cybersecurity program.” The amendment also places responsibility on a covered entity’s senior governing body to oversee the company’s “cybersecurity risk management,” which includes having a basic understanding of cybersecurity-related matters, developing and maintaining a cybersecurity program, regularly receiving and reviewing cybersecurity management reports, and confirming that sufficient resources are allocated to implementing and maintaining a cybersecurity program.

Self-Assessment and Enhanced Control Measures

The amendment provides that covered entities must now “develop and implement written policies and procedures” to test their cybersecurity program’s vulnerabilities. In contrast to the original rules, which were less specific, DFS will now require policies and procedures designed to ensure that companies (a) conduct automated or manual scans of their information systems “for the purpose of discovering, analyzing, and reporting vulnerabilities,” (b) are promptly informed of any vulnerabilities by having a monitoring process in place, and (c) timely remediate identified vulnerabilities.

With respect to access to sensitive data, the amendment revises who may access nonpublic information, what information such persons should have access to, when such persons should have access to that information, and how that access should be monitored. Notably, as amended, the regulations now require covered entities to use multi-factor authentication for any access by an individual of any covered entity’s information systems unless such entity falls within the limited exception for smaller businesses, in which case multi-factor authentication is required in more limited circumstances. For companies with a CISO, this requirement may be bypassed in favor of “reasonably equivalent or more secure compensating controls.”

Nonpublic information must now also be encrypted. Prior to the amendment, a covered entity was permitted to impose an encryption control based on its own risk assessment, but now, a “written policy” requiring encryption “that meets industry standards” to protect its nonpublic information is required. Only if encryption of the nonpublic information is “infeasible” may a company forego using encryption in place of a written policy approved by the CISO that is an “effective alternative.”

Prevention and Mitigation of Cyber-Attacks

Covered entities must now develop a written policy and procedure designed to “produce and maintain a complete, accurate and documented asset inventory of the covered entity’s information systems.” At a minimum, this policy must track each asset’s owner, location, classification or sensitivity, support expiration date, and recovery time objectives. While imposing an additional mandate on covered entities, these types of data inventories can be invaluable to companies that have fallen victim to a ransomware attack, with loss of access to their systems.

To better prevent such a loss of access, the amendment requires more of a covered entity’s cybersecurity monitoring and training. It requires that companies implement controls designed to protect against malicious code, conduct at least annual training on social engineering for all personnel, and, for larger companies, implement an endpoint detection and response solution to monitor anomalous activity and log “security event alerting.”

A covered entity’s incident response and business continuity management obligations have been buttressed as well. The amendment imposes additional obligations in terms of the proactive measures a covered entity must take to investigate and mitigate cybersecurity events and to ensure operations may continue if an incident takes place. Chief among these changes is that a covered entity must design a “business continuity and disaster recovery plan” aimed at ensuring that information systems remain available, functional, and recoverable in the event of an incident. The amendment sets forth base requirements, including identifying essential documents, data, facilities, infrastructure, services, personnel, and competencies “essential to the continued operations of the covered entity’s business.” All employees necessary to conduct the plan must be provided a copy of it and be trained in their roles and responsibilities. While it has long been best practice to have an incident response plan in place, and to periodically practice it through tabletop exercises, this is now a requirement for companies covered by DFS’s cybersecurity regulations.

Ransomware

Finally, the amendment imposes additional obligations on a covered entity following a ransomware attack. In the event an extortion payment is made in response to a cybersecurity incident, a covered entity must notify the DFS Superintendent within 24 hours of the payment and provide a written description as to why the payment was necessary, including alternatives considered, related due diligence, and steps taken to ensure compliance with all applicable rules and regulations. This requirement is in line with recent rules passed by the SEC for public companies, requiring disclosures of material cyber events, which for some companies, may include cyber extortion payments.

The amendment became effective November 1, but covered entities have 180 days to come into compliance with its changes (save for certain provisions), meaning April 29, 2024. Companies covered by DFS’s regulations should begin reviewing them today in advance of implementation and ongoing compliance. We will continue to monitor and report on this matter.