On July 29, 2022, the New York State Department of Financial Services (NYSDFS) released proposed changes that may have a significant impact on the current 23 NYCRR Part 500 – Cybersecurity Requirements for Financial Services Companies (the Cybersecurity Regulation or Part 500). Part 500, a regulation establishing cybersecurity requirements for financial services companies, was declared by the Superintendent of Financial Services, and has been in place since March 2017.
The current draft amendments to Part 500 are available for full review on the Department of Financial Services website (https://www.dfs.ny.gov/industry_guidance/regulations/outreach_fsl), but here is a summary of the major changes to the draft proposal:
- Category of Class A companies: This new classification of companies is those with over 2,000 employees or over $1 billion in gross annual revenue (as an average over three years). The Class A companies will need to meet additional obligations such as:
- Annual independent audits
- Weekly vulnerability scans with gaps being reported to the board and management
- Stronger password controls, including password vaulting for privileged accounts, and automated methods for blocking common passwords
- Implementation of endpoint detection and response (EDR) solutions that allow for specific monitoring and logging requirements
- Governance and Oversight: There have been enhancements to the current requirements and some newly added criteria. The amendments speak to CISO independence and the need for the CEO and CISO be involved in signing the certification of annual compliance. There is a lot of focus on the board of directors level as well, including additional reporting to the board, the need for board members to have sufficient expertise in cyber risk and for the board to be the main approver of cyber policies.
- Business Continuity and Incident Response: The proposed changes would add the need to document detailed business continuity and disaster recovery (BCDR) plans, which cover roles and responsibilities, communication plans, backup detail, and involved third parties. Additionally, the changes would add a testing component to the incident response (IR) plan requirements already included in the Cybersecurity Regulation. The amendments call for periodic testing of not only the IR plan but also the BCDR plans as well. Testing would need to involve senior officers, the CEO, and any other personnel critical to response and continuity efforts.
- Risk Assessments: Changes to the risk assessment requirements propose tailored assessments based on many key factors such as functions, assets, customers, infrastructure, size, services, operations, and many others. Risk assessments must be updated annually or when a material change in business or technology occurs. For those newly defined Class A companies, external experts must be used to perform the risk assessment at least once in a three-year period.
- Assets and Access Control/Monitoring: The amendments speak to a new requirement of having policies and procedures in place to drive an asset inventorying process that will track all hardware, operating systems, devices, applications, APIs, and cloud services. Additional access control requirements would focus on privileged accounts needing multifactor authentication (MFA) and be role-based in nature, ensuring such access is limited to only those necessary based on job duties. Another change would be the need to disable (or securely configure) remote control of devices and the ability to monitor and filter emails to block malicious content from reaching users.
- Notices: In addition to current notification rules, the amendments would bring new notification obligations, including notice to NYDFS:
- Within 24 hours of any extortion payment in connection to a cybersecurity event
- Within 30 days of an extortion payment event, the organization must report an explanation as to why payment was necessary, among other details
- Within 72 hours of an unauthorized access to privileged account or a ransomware event affecting information systems
- Within 24 hours of any extortion payment in connection to a cybersecurity event
- Penalties: The draft amendments explain penalties and aspects of enforcing Part 500:
- A single act prohibited by Part 500, or the failure to satisfy an obligation, constitutes a violation, including the failure to comply for any 24-hour period with any section or subsection of Part 500.
- A list of several mitigating factors that NYDFS may consider when assessing penalties (e.g., cooperation, good faith, prior violations, harm to customers, gravity and number of violations, involvement of management, financial resources, any other regulation/regulating body that may be involved, etc.) will now be extended to all covered entities under the Banking Law, Insurance Law, and the Financial Services Law. (Previously, these factors were considered in the Banking Law and, therefore, applied to only some regulated entities.)
If the amendments are adopted, entities can expect the following timeline:
- 30 days after adoption: The increased notification requirements and the changes to the annual notice of certification would take effect. (500.17)
- 180 days after adoption: Most of the changed requirements to take effect.
- 1 year after adoption: Many of the technology-related amendments would take effect. (500.07(b), 500.12(c), and 500.14(b)
It is important to understand these changes and begin assessing how it may affect your organization ahead of time. Many proposed amendments will require organizations to create a roadmap to tackle each new component, including planning for resource allocation in the form of time, money, technology, and personnel; all of which will require research, budgeting, planning, and business decisions to be made.
The commenting period is open until August 8 if you would like to provide feedback on the proposed changes and the agency contact can be located at the NYSDFS website provided above.
Update: The comment period has now been extended by NYDFS through August 18, 2022.