On June 28, 2023, the New York Department of Financial Services
(“NYDFS”) published updated proposed amendments to its
cybersecurity regulation (the “2023 Proposal”) applicable
to “covered entities.”
1 Covered entities are any person operating under,
or required to operate under, a license, registration, charter,
certificate, permit, accreditation or similar authorization under
the New York Banking Law, Insurance Law or Financial Services Law.
These updated amendments come after comments from industry groups
and other stakeholders to the NYDFS’s proposed revisions that
were published on November 9, 2022 (the “2022
Proposal”).
2 Comments on the 2023 Proposal may be submitted
until August 14, 2023.
In this Legal Update, we provide a section-by-section analysis
of new requirements in the 2023 Proposal. The 2023 Proposal is
extensive and would significantly expand requirements for covered
entities. Key new and expanded requirements include: (1) new
requirements for larger companies (Class A Companies, as defined
below); (2) expanded governance requirements, such as board
approval for cybersecurity policies; (3) expanded cyber incident
notice and compliance certification requirements; (4) expanded
requirements for asset inventory; and (5) a revised multi-factor
authentication requirement for user access to a company’s
network.
Section 500.1 – Definitions
The 2023 Proposal would differentiate among the businesses that
are subject to the cybersecurity requirements by creating
“Class A Companies,” which would be covered entities with
at least $20 million in gross annual revenue from operations in New
York (including New York revenue of affiliates) that also have more
than 2,000 employees (including employees of affiliates) or more
than $1 billion in average gross annual revenue over the last two
years (including revenue of affiliates). The latter measurements
are not limited by geography.
The 2023 Proposal would create definitions for an
“Independent Audit,” “Privileged Account,” and
“Senior Governing Body,” which are discussed further in
Sections 500.2, 500.7, and 500.3, respectively. It would remove
language using text messaging as an example of an acceptable
possession factor for multi-factor authentication.
The 2023 Proposal would add a definition of “Risk
Assessment” to specify that a risk assessment is a process of
identifying cybersecurity risks to organizational operations
(including mission, functions, image, and reputation),
organizational assets, individuals, customers, consumers, other
organizations, and critical infrastructure resulting from the
operation of an information system. A risk assessment would need to
consider the specific circumstances of a covered entity. The 2023
Proposal would also modify the “Third Party Service
Provider” definition to exclude governmental entities.
Section 500.2 – Cybersecurity Program
The 2023 Proposal would require Class A Companies to conduct an
Independent Audit of their cybersecurity programs at least
annually. An Independent Audit would be defined as an audit
conducted by internal or external auditors free to make their
decisions, not influenced by the covered entity being audited or by
its owners, managers, and employees.
It also would require all covered entities to make available to
NYDFS documents and other information pertaining to the parts of a
cybersecurity program which were adopted by the company from an
affiliate.
Section 500.3 – Cybersecurity Policy
The 2023 Proposal would clarify that a covered entity’s
cybersecurity policy must be approved by the Senior Governing Body
at least annually. A Senior Governing Body could be a covered
entity’s board of directors (or committee thereof), or the
company’s senior officer if no board exists.
It also would clarify that a covered entity should have
procedures to implement its cybersecurity policy, and would add
data retention, end of life management, remote access, security
awareness and training, systems and application security, and
vulnerability management to items that must be addressed in
cybersecurity policies and procedures.
Section 500.4 – Chief Information Security Officer
The 2023 Proposal would rename the section on the chief
information security officer (“CISO”) to
“cybersecurity governance” and broaden the governance
requirements. The proposed definition for CISO in Section 500.1
would specify that a CISO must have adequate authority and
resources to ensure cybersecurity risks are appropriately
managed.
In addition to the requirement to report annually to a covered
entity’s Senior Governing Body regarding the cybersecurity
program,
3 a CISO would need to report material cybersecurity
issues, including updates to risk assessments and major cyber
events, in a timely manner.
If a covered entity has a board of directors, the board, or a
committee thereof, would need to exercise effective oversight of
management’s cybersecurity risk management and require
management to develop, implement, and maintain a cybersecurity
program. The board or committee also would need to have sufficient
knowledge to exercise effective oversight of cyber risk.
The 2023 Proposal removed language in the 2022 Proposal that
required the board of directors to have sufficient “knowledge
and expertise” to oversee cyber risk, and language that
required the board to “provide direction to management”
on the cybersecurity program.
Section 500.5 – Penetration Testing and Vulnerability
Assessments
The 2023 Proposal would expand the penetration testing and
vulnerability assessment requirements by specifying that
penetration testing must be conducted at least annually by a
qualified internal or external party and vulnerability scans must
be conducted based on the results of the risk assessments. Covered
entities also would need to have a monitoring process for
identifying vulnerabilities. All covered entities would need to
ensure that vulnerabilities are remediated on a risk-focused basis,
and material issues identified through testing are timely
remediated based on the risk they pose.
The 2023 Proposal removes from this section a requirement in the
2022 Proposal that material issues be documented and be reported to
the senior governing body. However, Section 500.4(c) continues to
require that “material cybersecurity issues” be timely
reported to the senior governing body.
Section 500.7 – Access Privileges
The 2023 Proposal would expand the access privilege requirements
to emphasize the principle of least privilege and restrict
protocols that permit remote control of devices. Privileged
Accounts, defined as those that perform security-relevant functions
that ordinary users are not authorized to perform or can affect a
material change to technical or business operations, would be
subject to additional requirements. Covered entities also would
need to implement secure password rules, and Class A Companies
would need to implement additional controls over Privileged
Accounts.
Section 500.8 – Application Security
The 2023 Proposal would specify that the CISO must review
application security materials “at least annually,”
instead of “periodically.”
Section 500.9 – Risk Assessment
With respect to risk assessments, the 2023 Proposal would
require all covered entities to update them at least annually and
conduct an impact assessment whenever a change in the business or
technology causes a material change to cyber risk.
The 2023 Proposal removes the requirement from the 2022 Proposal
that Class A Companies use external experts to conduct a risk
assessment at least once every three years.
Section 500.10 – Cybersecurity Personnel and
Intelligence
The 2023 Proposal would explicitly require a CISO and a covered
entity’s Senior Governing Body to maintain appropriate
oversight of an affiliate or third-party service provider that
performs cybersecurity compliance activities on behalf of the
covered entity.
Section 500.11 – Third Party Service Provider Security
Policy
The 2023 Proposal would remove the exception that an agent,
employee, representative or designee of a covered entity that is
itself regulated by NYDFS need not develop its own third-party
information security policy if it follows the policy of a covered
entity.
However, note that Section 500.19(c) continues to exempt such
agents, employees, representatives, and designees from the need to
have a cybersecurity program to the extent that they follow the
cybersecurity program of another covered entity.
Section 500.12 – Multi-Factor Authentication
The 2023 Proposal would require the use of multi-factor
authentication for any individual accessing the information systems
except where the CISO has approved reasonably equivalent
compensating controls. Compensating controls must be reassessed at
least annually.
Smaller companies that qualify for an exemption under 500.19(a)
would be required to use multi-factor authentication only for
remote access and privileged accounts.
The 2023 Proposal expands the multi-factor authentication
requirements, as the current rule only requires MFA for remote
access.
Section 500.13 – Limitations on Data Retention
The 2023 Proposal would include a requirement that a covered
entity maintain an asset inventory of technology resources. It
would specify the information that must be collected and maintained
for each asset, and would require that the information be updated
and validated as determined by the covered entity.
The 2023 Proposal narrowed similar language in the 2022 Proposal
by adding language clarifying that the asset inventory must be of
the covered entity’s information systems, as opposed to all
assets.
Section 500.14 – Training and Monitoring
The 2023 Proposal would expand the monitoring requirements to
require a covered entity to monitor and filter internet traffic and
emails to block malicious content. Covered entities also would need
to provide training, exercises, and simulations on cybersecurity
and social engineering (such as phishing).
A Class A Company would be required to implement endpoint
detection, anomalous activity monitoring, centralized logging, and
security event alerting, unless the CISO has determined in writing
that it would use a reasonably equivalent or more secure
control.
Section 500.15 – Encryption of Nonpublic Information
The 2023 Proposal would require covered entities to maintain
written encryption policies that meet industry standards and
document approval of compensating controls for the non-use of
encryption in writing.
Section 500.16 – Incident Response Plan
The 2023 Proposal would expand the incident response plan
requirement to include business continuity and disaster recovery
(“BCDR”) planning for cybersecurity events. Incident and
BCDR plans would need to be distributed or made accessible to
relevant employees, subject to training, and periodically tested at
least annually. Incident response planning would also require
post-event root cause analysis of the incident.
Covered entities also would be required to test their ability to
restore systems from backups and maintain protected backups at
least once a year.
The 2023 Proposal added language to the 2022 Proposal that
specifies the required BCDR planning is for recovery from
cybersecurity events, as opposed to recovery from all potential
disruptions to normal business activities.
Section 500.17 – Notices to Superintendent
The 2023 Proposal would expand the cybersecurity event
notification requirement to expressly cover three categories of
cybersecurity events: (i) cybersecurity events where an
unauthorized user has gained access to a privileged account; (ii)
cybersecurity events that resulted in the deployment of ransomware
within a material part of the covered entity’s information
system; or (iii) cybersecurity events at a third-party service
provider that affect a covered entity. It also would require a
covered entity to provide and update information that NYDFS may
request regarding the investigation of the cybersecurity event.
It also would add a new notification requirement for extortion
payments. A covered entity would be required to notify NYDFS of an
extortion payment made in connection with a cybersecurity event
within 24 hours of making the payment. The covered entity then
would be required to provide notice to NYDFS within 30 days of the
reasons payment was necessary, a description of alternatives to
payment considered, all diligence performed to find alternatives to
payment, and all diligence performed to ensure compliance with
applicable rules and regulations, including those of the Office of
Foreign Assets Control.
The 2023 Proposal would expand the annual compliance
certification for non-compliance with the requirements by requiring
written disclosure of requirements that the covered entity has not
fully complied with and the nature of such non-compliance. It would
also require that the certification be based on documentation
sufficient to demonstrate full compliance, such as reports or
sub-certifications. It would also require certification that the
company was in full compliance as of December 31 of the prior year,
and material compliance throughout the rest of the prior year.
The compliance certification would need to be signed by the
covered entity’s highest-ranking executive and CISO (or other
person responsible for cybersecurity).
This 2023 Proposal makes several changes from the 2022 Proposal,
including a new the requirement that companies certify material
compliance throughout the prior year, and the removal of the
requirement that a written acknowledgement of non-compliance
include information such as systems that require improvement and a
timeline for remediation.
Section 500.19 – Exemptions
The 2023 Proposal would modestly expand number of companies that
qualify for small-company exemptions from some cybersecurity
requirements by raising the personnel threshold from 10 to 20 and
the total assets threshold from $10 million to $15 million. It
would also expand the list of fully exempt licensees from the
regulation entirely to include reciprocal jurisdiction reinsurers,
inactive individual insurance agents and brokers, and inactive
individual mortgage loan originators.
The 2023 Proposal would also require that companies that ceased
to be eligible for an exemption would have 180 days to come into
compliance.
Section 500.20 – Enforcement
The 2023 Proposal would expand the enforcement provision by
specifying that a single act, or failure to act, constitutes a
violation of the cybersecurity requirements, including the failure
to materially comply for any 24-hour period with any requirement.
It also would list factors that NYDFS will consider when assessing
a penalty for a violation, such as a covered entity’s history
of prior violations.
The 2023 Proposal changed the requirement for a violation for
each 24-period by adding a requirement that such violation be
material.
Section 500.21 – Effective Date
The revisions would become effective upon adoption by NYDFS,
subject to the transitional arrangements discussed below.
Section 500.22 – Transitional Periods
Covered entities generally would be required to comply with the
revisions within 180 days of adoption by NYDFS. However, some
provisions in the proposal have different effective dates:
- 30 days after adoption: requirements for cybersecurity event
notification and annual compliance certification - One year after adoption: requirements for incident response
planning and BCDR, governance, encryption, and the size-based
exemption - 18 months after adoption: requirements for vulnerability
scanning, password controls, and enhanced monitoring controls for
Class A Companies - Two years after adoption: requirements for an asset inventory
and multi-factor authentication
NEW Section 500.24 – Exemptions from Electronic Filing
and Submission Requirements
The 2023 Proposal would add a new section that allows a covered
entity to request an exemption from having to make an electronic
filing or a submission as part of compliance with a
requirement.
Section 500 Appendices – Certification of Compliance and
Notice of Exemption
The 2023 Proposal would delete the appendices that contain model
forms of the certification of compliance and notice of exemption.
Absent an exemption, the 2023 Proposal would require filings by
covered entities to be submitted electronically.
Conclusions
The 2023 Proposal would significantly expand the cybersecurity
requirements for companies regulated by NYDFS, particularly larger
companies that would fall within the definition of Class A
Companies. Some new requirements may also require extensive
modifications to existing systems (e.g., attributes in asset
inventories).
While the amendments are subject to notice-and-comment, covered
entities will likely benefit from considering how they would meet
these requirements if they are finalized in substantially similar
form. In addition, businesses that are not subject to the DFS
regulation may benefit from reviewing these regulations to
understand potential future trends, as DFS cyber regulations have a
history of being adopted by other state and federal regulators.
Footnotes
1. NYDFS, Updated Proposed Second Amendment to 23
N.Y.C.R.R. pt. 500 (June 28, 2023), https://www.dfs.ny.gov/system/files/documents/2023/06/rev_rp_23a2_text_20230628.pdf;
NYDFS, Cybersecurity Requirements for Financial Services Companies
XLV (No. 26) N.Y. Reg. 23-27 (June 28, 2023), https://dos.ny.gov/system/files/documents/2023/06/062823.pdf.
2. NYDFS, Cybersecurity Requirements for Financial
Services Companies XLIV (No. 45) N.Y. Reg. 26-28 (Nov. 9, 2022), https://dos.ny.gov/november-9-2022vol-xliv-issue-45.
3. As part of the annual report, the CISO would need to
address plans for remediating material inadequacies.
Visit us at
mayerbrown.com
Mayer Brown is a global services provider comprising
associated legal practices that are separate entities, including
Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP
(England & Wales), Mayer Brown (a Hong Kong partnership) and
Tauil & Chequer Advogados (a Brazilian law partnership) and
non-legal service providers, which provide consultancy services
(collectively, the “Mayer Brown Practices”). The Mayer
Brown Practices are established in various jurisdictions and may be
a legal person or a partnership. PK Wong & Nair LLC
(“PKWN”) is the constituent Singapore law practice of our
licensed joint law venture in Singapore, Mayer Brown PK Wong &
Nair Pte. Ltd. Details of the individual Mayer Brown Practices and
PKWN can be found in the Legal Notices section of our website.
“Mayer Brown” and the Mayer Brown logo are the trademarks
of Mayer Brown.
© Copyright 2023. The Mayer Brown Practices. All rights
reserved.
This
Mayer Brown article provides information and comments on legal
issues and developments of interest. The foregoing is not a
comprehensive treatment of the subject matter covered and is not
intended to provide legal advice. Readers should seek specific
legal advice before taking any action with respect to the matters
discussed herein.
Click Here For The Original Source.
