New York State Department of Financial Services To Amend Cybersecurity Regulations for Financial Services Companies

The New York State Department of Financial Services (NYDFS) has published proposed amendments to its Cybersecurity Requirements for Financial Services Companies (amendments).^[1] The amendments to the agency’s cybersecurity regulations, 23 NYCRR § 500 (Part 500), would subject all covered entities — including banks, insurance companies and other financial institutions regulated by DFS — to a number of new cybersecurity requirements, including a 24-hour notification requirement for ransomware payments, annual penetration testing and risk assessments, enhanced cybersecurity policies and security measures, and new governance and board oversight requirements. They would impose additional requirements on a new category of Class A companies — the largest financial services companies — including requirements that they conduct independent audits of their cybersecurity programs at least annually, monitor privileged access activity and use external experts to conduct a risk assessment at least once every three years.

Background and Proposal

Part 500 first took effect in August 2017.^[2] Currently, the rules require banks, insurance companies and other institutions regulated by NYDFS to have a cybersecurity program designed to protect consumers’ private data, written policies approved by the board or a senior officer, a chief information security officer (CISO) to help protect data and systems, and other controls and plans in place. Covered entities must also report cybersecurity events through the NYDFS online cybersecurity portal.

In June 2021, NYDFS stated that it was considering revising Part 500 to address the evolution in cyber risk, citing an “evolving and more dangerous threat landscape” compared to when it first adopted the regulations.^[3] In particular, the agency noted that from January 2020 through May 2021, NYDFS-regulated companies reported 74 ransomware attacks, some of which caused crippling dayslong shutdowns.

In July 2022, NYDFS released pre-proposed amendments to Part 500 and solicited feedback from other regulators, industry groups and regulated entities.

On Nov. 9, NYDFS officially announced its proposed amendments to Part 500. NYDFS made a number of changes in response to feedback it received to the pre-proposed amendments over the past several months. Most notably, it limited Class A companies to only those that have had at least $20 million in gross annual revenue in each of the past two fiscal years from business operations in New York, and softened some of the technical requirements for those companies. Additionally, it added a requirement that a covered entity report a cybersecurity event at a third-party service provider that affects the entity.

In its announcement, NYDFS stated that the amendments are designed to combat increasingly sophisticated technologies and threats.^[4] “With cyber-attacks on the rise, it is critical that our regulation keeps pace with new threats and technology purpose-built to steal data or inflict harm,” NYDFS Superintendent Adrienne A. Harris said in a press release. “Cyber criminals go after all types of companies, big and small, across industries, which is why all of our regulated entities must comply with these standards — whether a bank, virtual currency company, or a health insurance company.”

Covered Entities

The definition of “covered entity” would remain generally the same under the proposed amendments to Part 500, covering banks, insurance companies and other financial institutions regulated by DFS, although the amendments would add the italicized language to the definition:

“any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the [New York] Banking law, the [New York] Insurance Law, or the [New York] Financial Services Law, regardless of whether the covered entity is also regulated by other government agencies.”

This addition clarifies that covered entities would not be exempt from the regulation simply because they are also regulated by other government agencies. This is a departure from other U.S. privacy laws, which often exempt entities covered by sector-specific cybersecurity regulations.

New Notification Requirements

Part 500 already requires covered entities to report some cybersecurity events through the NYDFS online cybersecurity portal within 72 hours. The amendments add three types of cybersecurity events that would need to be reported to NYDFS in this time frame:

• A cybersecurity event in which an unauthorized user gains access to a privileged account (which is an account that can either perform special security-relevant functions or affect a material change to technical or business operations).
• A cybersecurity event that results in the deployment of ransomware within a material part of the covered entity’s information system.
• A cybersecurity event at a third-party service provider that affects the covered entity. (Third-party service providers are any non-affiliates of the covered entity that are not governmental entities, and that maintain, process or otherwise are permitted access to nonpublic information through their provision of services to the covered entity.)

The amendments would also require covered entities to provide NYDFS any information requested regarding the investigation of the cybersecurity event within 90 days of the notice, and to continually update and supplement the information provided.

In addition, a covered entity that makes a ransomware payment would need to notify NYDFS of the payment within 24 hours of making it. Further, within 30 days, it would need to provide a written description of the reasons a payment was necessary, a description of alternatives to payment considered, all diligence performed to find alternatives to payment, and all diligence performed to ensure compliance with applicable rules and regulations.

New Certification Requirements

The amendments specify that a covered entity’s annual certification of compliance to NYDFS under Part 500 would need to be signed by its highest-ranking executive and its CISO (or if it has no CISO, the senior officer responsible for its cybersecurity program). Until now, covered entities could submit this annual certification from their highest governing bodies or other senior officers.

The amendments would also require that covered entities base the annual certification on data and documentation sufficient to accurately determine and demonstrate full compliance.

Further, the amendments would create a new option for covered entities that did not fully comply with the cybersecurity regulations to provide written acknowledgment of noncompliance, in which they would describe the nature and extent of noncompliance; identify areas, systems and processes that require material improvement, updating or redesign; and provide remedial plans and a timeline for their implementation.

New Requirements for Penetration Testing and Risk Assessments

The amendments would also make changes to the required penetration testing and risk assessments that covered entities are already required to conduct under Part 500.

• Penetration testing: Covered entities would need to conduct, at least annually, penetration testing of their information systems from both inside and outside the systems’ boundaries by a qualified internal or external independent party.
• Automated scans: In order to discover vulnerabilities, covered entities would need to conduct automated scans of their information systems, and manually review systems not covered by such scans, at a frequency determined by the risk assessment and promptly after any major system changes.
• Ongoing vulnerability monitoring and remediation: Instead of the currently required biannual vulnerability assessments, covered entities would need to have a monitoring process in place to ensure they are promptly informed of the emergence of new security vulnerabilities. They would also need to timely remediate vulnerabilities, giving priority to vulnerabilities based on the risk they pose to the covered entity, and document and report material issues to the senior governing body and senior management.
• Risk assessments: Covered entities would need to review and update their risk assessments at least annually, and also whenever a change in business or technology causes a material change to their cyber risk.

New Cybersecurity Controls and Policies

Under the amendments, covered entities would also need to implement new, enhanced cybersecurity controls and policies.

• Cybersecurity policies: The amendments would require a covered entity’s cybersecurity policies to address issues not currently covered by Part 500, including data retention, end of life management, remote access controls, systems monitoring, security awareness and training, application security, incident notification, and vulnerability management.
• Privileged account controls: For privileged accounts, covered entities would need to limit the number of accounts, their access functions and their actual use, based on what is necessary for users to perform their jobs. The amendments would also require covered entities to periodically (and at least annually) review all user access privileges and remove or disable accounts and access that are no longer necessary, disable or securely configure all protocols that permit remote control of devices, and promptly terminate access following departures.
• Multifactor authentication: Under the amendments, covered entities would need to use multifactor authentication for remote access to the covered entity’s information systems; remote access to third-party applications, including but not limited to those that are cloud based, from which nonpublic information is accessible; and all privileged accounts. Alternatively, the CISO could approve in writing the use of reasonably equivalent or more secure compensating controls, which the CISO would need to review periodically and at least annually.
• Monitoring and filtering content: Covered entities would need to implement controls that protect against malicious code, including controls that monitor and filter web traffic and email to block malicious content.
• Cybersecurity training: Covered entities would need to provide cybersecurity awareness training that includes social engineering exercises for all personnel at least annually.
• Disaster recovery plans: In addition to their incident response plans, covered entities would need to establish business continuity and disaster recovery plans. They would need to share their plans with, and provide training to, all employees necessary to implement such plans. They would also need to test their plans at least annually with all critical staff, including senior officers.

New Governance and Board Oversight Requirements

The amendments would create new governance and oversight requirements related to cybersecurity for a covered entity’s “senior governing body,” which is its board of directors (or an appropriate committee), or equivalent governing body, or if those do not exist, the senior officer responsible for its cybersecurity program.

• Approval of cybersecurity policies: The senior governing body would need to approve, at least annually, the covered entity’s policies and procedures for the protection of its information systems and nonpublic information stored on those information systems.
• Internal reporting: The covered entity’s CISO would need to timely report to the senior governing body regarding material cybersecurity issues, including major cybersecurity events and any updates to the covered entity’s risk assessment. In its annual written report to the senior governing body, the CISO would also need to report on plans for remediating any material inadequacies.
• Effective board oversight: If the covered entity has a board of directors or equivalent, the board or an appropriate committee of the board would need to exercise oversight of, and provide direction to management on, the covered entity’s cybersecurity risk management; require the covered entity’s executive management or its delegates to develop, implement and maintain its cybersecurity program; and have sufficient expertise and knowledge, or be advised by persons with sufficient expertise and knowledge, to exercise effective oversight of cybersecurity risk management.
• Adequate CISO authority: The amendments would require the covered entity’s CISO to have “adequate authority to ensure cybersecurity risks are appropriately managed, including the ability to direct sufficient resources to implement and maintain a cybersecurity program.”

Additional Requirements for Larger (Class A) Companies

The amendments would create a new classification of Class A companies, which are defined as covered entities with at least $20 million in gross annual revenue in each of the past two fiscal years from business operations of the covered entity and its affiliates in New York, and with either of the following:

• Over 2,000 employees averaged over the past two fiscal years (including the company’s and its affiliates’ employees, no matter where located).
• Over $1 billion in gross annual revenue in each of the past two fiscal years (from all of the company’s and its affiliates’ business operations).

In addition to the new obligations described above, Class A companies would need to comply with several additional requirements under the amendments:

• Annual audit: Class A companies would need to conduct an independent audit of their cybersecurity programs at least annually. The independent audit would need to be conducted by external auditors free to make decisions, and not influenced by the covered entity or its owners, managers or employees.
• Privileged account controls: In addition to the baseline privileged account requirements for all covered entities, Class A companies would need to monitor privileged access activity and implement a privileged access management solution and an automated method of blocking commonly used passwords for all accounts. If it is not feasible to automatically block commonly used passwords, the company’s CISO could instead annually approve (in writing) the use of reasonably equivalent or more secure controls.
• Risk assessments: Class A companies would need to use external experts to conduct a risk assessment at least once every three years.
• Monitoring activity: Class A companies would need to implement an endpoint detection and response solution to monitor anomalous activity, including but not limited to lateral movement (movement by a potential cyberattacker within a network), and implement a solution that centralizes logging and security event alerting. Alternatively, the company’s CISO could approve (in writing) the use of reasonably equivalent or more secure controls.

Expansion of Limited Exemptions for Small Companies

Under Part 500, some small companies are exempt from certain provisions of the regulations, including the sections on governance, monitoring and training, and incident response plans.

The amendments would expand the number of companies that qualify for these exemptions. Whereas covered entities with fewer than 10 employees are currently exempt, the amendments would raise that number to 20 employees. Further, covered entities with less than $10 million in year-end total assets are currently exempt, but the amendments would raise that number to $15 million.

Implications

NYDFS published the amendments to the State Register on Nov. 9, commencing a 60-day comment period that will end on Jan. 9, 2023, at which point the amendments will be further revised or finalized.

If adopted, covered entities would have 180 days from the effective date of the amendments to comply with them, with some exceptions, including that covered entities would only have 30 days to comply with the new requirements related to notification of cybersecurity events and ransomware payments, and annual certification of compliance or acknowledgment of noncompliance. Covered entities would also have 18 months to comply with the new requirements for performing automated vulnerability scans and other technical control requirements.

Under the amendments, covered entities will violate the regulations if they commit a prohibited act; fail to comply with any section for a 24-hour period; or fail to secure, or prevent unauthorized access to, nonpublic information due to noncompliance with the regulations. In assessing a penalty for a violation, NYDFS will consider factors including the extent the covered entity cooperated with the investigation, the covered entity’s good faith, its history of prior violations, and the gravity of the violations and extent of harm to consumers.

The amendments may increase costs for some financial services companies that need to adopt additional cybersecurity measures. At the same time, there will be more NYDFS-regulated entities that qualify for a limited exemption based on their relatively smaller size. Companies that determine they qualify for a limited exemption would still need to file a Notice of Exemption form on the NYDFS website within 30 days of that determination.

^[1] _{NYDFS, Proposed Second Amendment to 23 NYCRR § 500 (proposed Nov. 9, 2022).}

^[2] _{See Kramer Levin’s client alert on the original Part 500.}

^[3] _{NYDFS, Industry Letter Re: Ransomware Guidance (June 30, 2021).}

^[4] _{Press Release, NYDFS Superintendent Adrienne A. Harris Announces Updated Cybersecurity Regulation (Nov. 9, 2022).}