Recent activity by the New York Department of Financial Services (NYDFS) and the Securities and Exchange Commission (SEC) highlight the continued focus by government regulators on cybersecurity. As these and other regulators take an increasingly assertive enforcement posture, companies should be proactive about structuring their cybersecurity compliance programs to avoid fines, safeguard sensitive data, and protect their reputation.
NYDFS Finalizes Amendments to Cybersecurity Rules
In July, we wrote about ten notable updates proposed by NYDFS to its cybersecurity regulations. On November 1, the NYDFS announced that it had finalized amendments to 23 NYCRR 500.
Among other changes, the amended cybersecurity rules include the following:
- Class A Companies. The amendments create a new category of large “Class A companies,” defined as companies with at least $20 million in gross annual revenue in each of the last two years from business in New York and over 2,000 employees averaged over the last two fiscal years (regardless of location), or more than $1 billion in gross annual revenue over the last two years. Class A companies are required to adhere to stricter requirements, including annual independent audits of their cybersecurity program, implementing a privileged access management solution, monitoring endpoint detection and response, and centralized logging and security event alerting.
- Board Approval of Cybersecurity Policies. Cybersecurity policies, which companies must have under existing rules, must be approved at least annually by the senior governing body of the company (e.g., the board of directors).
- Asset Management Requirements. Companies must maintain an inventory of their information systems, which must track assets by owner, location, classification or sensitivity, support expiration date, and recovery time objectives.
- CISO Reporting. A company’s chief information security officer (“CISO”), which companies must designate under existing rules, is required to “timely report material cybersecurity issues” to the company’s board.
- Board Oversight and Competence. Company boards are required to “exercise oversight over the covered entity’s cybersecurity risk management” and “have sufficient understanding of cybersecurity-related matters to exercise such oversight.”
- Incident Response and Business Continuity and Disaster Recovery. Companies’ incident response plans are required to incorporate new information relating to backing up data and include detailed business continuity and disaster recovery plans to ensure the availability and functionality of their information systems and material services.
- Annual Penetration Testing. Companies must conduct annual penetration testing of their information systems and perform automated scans of systems to uncover vulnerabilities.
- Encryption. Companies must encrypt nonpublic information and use encryption that “meets industry standards.”
- Cybersecurity Notifications. Companies must notify NYDFS of cybersecurity events affecting affiliates and third-party service providers.
- Ransomware Payments. Companies are required to notify NYDFS within 24 hours of any “extortion payment” made in connection with a ransomware event.
- Compliance Certifications. Companies, which are already required to certify their compliance annually with these rules, are now required to base their certifications “upon data and documentation sufficient to accurately determine and demonstrate such material compliance,” including internal data or documentation as well as from outside vendors.
- Enforcement Guidance. Finally, the amended regulations outline 16 considerations that regulators must take into account in assessing any penalty for a violation of the rules, such as a covered entity’s cooperation with the investigation, consumer harm, accurate and timely consumer disclosures, whether the actions were isolated or part of a pattern of conduct, the financial resources and business volume of the entity, and whether the entity’s relevant policies and procedures are consistent with nationally recognized cybersecurity frameworks, such as NIST.
Covered entities have six months to comply with these amendments. Accordingly, financial institutions regulated by NYDFS must take steps now to be compliant by April 29, 2024.
In conjunction with the amended rule, NYDFS also released an assessment of comments it received on the proposed amendments. Among other notable mentions, commenters encouraged the agency to align its rules with the SEC and National Institutes of Standards and Technology (NIST) Cybersecurity Framework. In response, NYDFS contended that it takes a risk-based approach that is consistent with the SEC and NIST and declined to make further amendments. Additionally, NYDFS declined to make any artificial-intelligence-specific updates to its rule, while simultaneously recognizing “that cybersecurity risks associated with AI are concerning.”
SEC Sues SolarWinds for Securities Fraud
Separately, the SEC recently announced the filing of a ten-count complaint against Solar Winds and its chief information officer (CISO) for defrauding investors and customers about its cybersecurity practices.
SolarWinds—a Texas-based network management software company—was the victim of a massive cyberattack attributed to the Russian Foreign Intelligence Service in 2020. Nearly 18,000 customers, including federal agencies, used SolarWinds’ software and received compromised code as a result of the incident dubbed “SUNBURST.”
According to the SEC’s 68-page complaint, filed in the Southern District of New York, SolarWinds violated its obligation to develop reasonable safeguards against unauthorized access to its company assets and made materially false and misleading statements and omissions about its cybersecurity and risk management practices. Specifically, the company allegedly failed to follow its own cybersecurity controls, including its secure password policy and secure development lifecycle (“SDL”) software production methodology. At the same time, SolarWinds’ CISO stated in internal emails that the company’s critical assets were “very vulnerable” while simultaneously touting the company’s supposedly strong cybersecurity practices.
In addition to these internal control failures, the complaint alleges that senior corporate leaders were acutely aware of the company’s vulnerabilities as far back as 2018 but made multiple public disclosures that were calculated to mislead investors and customers about its practices. This included statements made by the company in its Form 8-K announcement of the SUNBURST attack, which suggested that the extent of the cybersecurity incident was not fully known when, in fact, the company already had confirmation of the scope of the attack. For example, the company announced the vulnerability “could potentially allow an attacker to compromise” customers’ software even though the company had already confirmed that the software was compromised.
The recent activity by NYDFS and the SEC not only shows the increased attention that financial regulators are putting on companies’ cybersecurity programs, but also that company leaders may be held personally liable for cybersecurity failures. Companies should take proactive steps to design robust cybersecurity programs that function properly and regularly test and monitor their effectiveness to avoid liability.