The New York Department of Financial Services (“NYDFS”) published the latest draft of its Proposed Second Amendment to its landmark Cybersecurity Regulation (23 NYCRR 500) on November 9, 2022. The proposed second amendment comes after an initial comment period on an earlier-released draft amendment released on July 29, 2022. NYDFS is accepting comments on the proposed second amendment through January 9, 2023.
The latest version of the draft amendment maintains the significant proposed changes to the Cybersecurity Regulation previewed in the first draft amendment, notably:
- Establishing a separate, size and revenue-based class of regulated entity (“Class A companies”) with additional cybersecurity requirements;
- Expanding reporting requirements to cover privileged account compromise, ransomware deployment, and “extortion” payments, and requiring written justifications for “extortion” payments;
- Increasing governance and programmatic requirements, including requiring Board-level oversight of cybersecurity risk management; and
- Providing a list of mitigating factors to be considered in the enforcement context.
A more detailed discussion of each element is provided below.
Class A Companies. The Proposed Amendment establishes a new class of regulated entity, “Class A companies,” which are defined as entities with at least $20,000,000 in gross annual revenue and:
- Over 2,000 employees, including all of an entity’s affiliates no matter where located; or
- Over $1,000,000,000 in gross annual revenue in each of the last two fiscal years from all business operations of the covered entity and all of its affiliates.
Under the Proposed Amendment, Class A companies are subject to heightened cybersecurity requirements, including requirements to:
- Conduct independent audits at least annually;
- Conduct risk assessments by external experts at least once every three years; and
- Implement certain system-level requirements, such as monitoring privileged access activity, implementing a privileged access management solution, and implementing an endpoint detection and response solution, as well as a solution that centralizes logging and security event alerting.
Expanded Reporting Obligations. The Proposed Amendment expands the categories of cybersecurity events for which an entity must provide notice to the department within 72 hours. The pre-amendment regulation required notice within 72 hours of “cybersecurity events … of which notice is required to be provided to any government body, self-regulatory agency or any supervisory body” and “cybersecurity events that have a reasonable likelihood of materially harming any material part of [] normal operation(s)[.]” The Proposed Amendment adds two new categories of events with a 72-hour notice requirement:
- Access by an unauthorized user to a “privileged account,” which the Proposed Amendment defines as an account used to “perform security-relevant functions that ordinary users are not authorized to perform” or that can “affect a material change to the technical or business operations of the covered entity.”
- Cybersecurity events “that resulted in the deployment of ransomware within a material part of the covered entity’s information system.”
As to third parties, the Proposed Amendment also requires that a covered entity provide notice within 72 hours of “a cybersecurity event at a third party service provider.”
Furthermore, the Proposed Amendment requires that an entity report “extortion payment[s] made in connection with a cybersecurity event . . . within 24 hours of the extortion payment[.]” Within 30 days of the payment, an entity must also provide the Department with “a written description of the reasons payment was necessary, a description of alternatives to payment considered, all diligence performed to find alternatives to payment, and all diligence performed to ensure compliance with applicable rules and regulations including those of the Office of Foreign Assets Control.”
Governance and Programmatic Requirements. The Proposed Amendment establishes increased obligations for management and Board-level directors through governance requirements, as well as more prescriptive programmatic requirements for covered entities.
Governance Requirements. The Proposed Amendment imposes certain governance requirements on key corporate actors, including the Chief Information Security Officer (“CISO”) and an entity’s senior governing body (e.g., the Board):
- CISOs – The Proposed Amendment expands the provisions regarding a CISO’s responsibilities, including directing that the CISO “timely report to the senior governing body regarding material cybersecurity issues, such as updates to the covered entity’s risk assessment or major cybersecurity events.” The Proposed Amendment also clarifies that a CISO must have “adequate authority,” including “the ability to direct sufficient resources to implement and maintain a cybersecurity program.”
- Senior Governing Body – The Amendment establishes specific requirements for an entity’s senior governing body, notably that the body must (1) “exercise oversight of, and provide direction to management on, the covered entity’s cybersecurity risk management;” (2) “require the covered entity’s executive management or its delegates to develop, implement and maintain the covered entity’s cybersecurity program;” and (3) “have sufficient expertise and knowledge, or be advised by persons with sufficient expertise and knowledge, to exercise effective oversight of cybersecurity risk management.”
- Certifications – The Proposed Amendment expands the annual certification requirements for covered entities, and includes a new requirement that such certification “be signed by the covered entity’s highest-ranking executive and its CISO,” or the “senior officer responsible for the cybersecurity program[.]”
Programmatic Requirements. The Proposed Amendment expands the suite of programmatic requirements a covered entity must have in place:
- Operational Resilience and Incident Response Plans – The original regulation required a covered entity to establish a written incident response plan. The Proposed Amendment now requires an entity to also establish business continuity and disaster recovery (BCDR) plans, with certain minimum requirements, including “procedures for the maintenance of back-up facilities, systems and infrastructure … to enable the timely recovery of data and documentation and to resume operations as soon as reasonably possible[.]” The Proposed Amendment also calls for annual testing of both the incident response and BCDR plans, as well as the entity’s “ability to restore its systems from backups.”
- Cybersecurity Policy Requirements – The Proposed Amendment expands the required cybersecurity policies to include, among others, data retention, end of life management, remote access, network monitoring, security awareness and training, application security, incident notification, and vulnerability management. Separately, the Proposed Amendment expands the definition of risk assessment, requiring a number of specific considerations, including vendor risks.
Mitigating Factors. The Proposed Amendment provides a list of fifteen factors for the Superintendent to consider when assessing penalties for violations, including factors that could mitigate the severity of any follow-on enforcement action. Those factors are:
- “the extent to which the covered entity has cooperated with the superintendent in the investigation of such acts;
- the good faith of the entity;
- whether the violations resulted from conduct that was unintentional or inadvertent, reckless, or intentional and deliberate;
- whether the violation was a result of failure to remedy previous examination matters requiring attention, or failing to adhere to any disciplinary letter, letter of instructions, or similar;
- any history of prior violations;
- whether the violation involved an isolated incident, repeat violations, systemic violations or a pattern of violations;
- whether the covered entity provided false or misleading information;
- the extent of harm to consumers;
- whether required, accurate and timely disclosures were made to affected consumers;
- the gravity of the violations;
- the number of violations and the length of time over which they occurred;
- the extent, if any, to which the senior governing body participated therein;
- any penalty or sanction imposed by any other regulatory agency;
- the financial resources, net worth and annual business volume of the covered entity and its affiliates; and
- such other matters as justice and the public interest require.”
Looking Ahead. The Proposed Amendment is subject to a 60-day comment period that expires on January 9, 2023. Beyond New York, the Proposed Amendment follows shortly after other federal regulators, including the U.S. Securities and Exchange Commission and the U.S. Cybersecurity and Infrastructure Security Agency, have proposed enhanced cybersecurity governance, programmatic, and notification requirements. The NYDFS Cybersecurity Regulation has served as a bellwether in the broader cybersecurity regulatory landscape, and companies should expect continued regulatory developments at the federal and state levels.