The New York Department of Financial Services (“NYDFS”) published the latest draft of its Proposed Second Amendment to its landmark Cybersecurity Regulation (23 NYCRR 500) on November 9, 2022.  The proposed second amendment comes after an initial comment period on an earlier-released draft amendment released on July 29, 2022.  NYDFS is accepting comments on the proposed second amendment through January 9, 2023. 

The latest version of the draft amendment maintains the significant proposed changes to the Cybersecurity Regulation previewed in the first draft amendment, notably:

  1. Establishing a separate, size and revenue-based class of regulated entity (“Class A companies”) with additional cybersecurity requirements;
  2. Expanding reporting requirements to cover privileged account compromise, ransomware deployment, and “extortion” payments, and requiring written justifications for “extortion” payments;
  3. Increasing governance and programmatic requirements, including requiring Board-level oversight of cybersecurity risk management; and
  4. Providing a list of mitigating factors to be considered in the enforcement context.

A more detailed discussion of each element is provided below.

Class A Companies.  The Proposed Amendment establishes a new class of regulated entity, “Class A companies,” which are defined as entities with at least $20,000,000 in gross annual revenue and:

  1. Over 2,000 employees, including all of an entity’s affiliates no matter where located; or
  2. Over $1,000,000,000 in gross annual revenue in each of the last two fiscal years from all business operations of the covered entity and all of its affiliates.

Under the Proposed Amendment, Class A companies are subject to heightened cybersecurity requirements, including requirements to: 

  • Conduct independent audits at least annually;
  • Conduct risk assessments by external experts at least once every three years; and
  • Implement certain system-level requirements, such as monitoring privileged access activity, implementing a privileged access management solution, and implementing an endpoint detection and response solution, as well as a solution that centralizes logging and security event alerting. 

Expanded Reporting Obligations.  The Proposed Amendment expands the categories of cybersecurity events for which an entity must provide notice to the department within 72 hours.  The pre-amendment regulation required notice within 72 hours of “cybersecurity events … of which notice is required to be provided to any government body, self-regulatory agency or any supervisory body” and “cybersecurity events that have a reasonable likelihood of materially harming any material part of [] normal operation(s)[.]”  The Proposed Amendment adds two new categories of events with a 72-hour notice requirement:

  1. Access by an unauthorized user to a “privileged account,” which the Proposed Amendment defines as an account used to “perform security-relevant functions that ordinary users are not authorized to perform” or that can “affect a material change to the technical or business operations of the covered entity.”
  2. Cybersecurity events “that resulted in the deployment of ransomware within a material part of the covered entity’s information system.”

As to third parties, the Proposed Amendment also requires that a covered entity provide notice within 72 hours of “a cybersecurity event at a third party service provider.” 

Furthermore, the Proposed Amendment requires that an entity report “extortion payment[s] made in connection with a cybersecurity event . . . within 24 hours of the extortion payment[.]”  Within 30 days of the payment, an entity must also provide the Department with “a written description of the reasons payment was necessary, a description of alternatives to payment considered, all diligence performed to find alternatives to payment, and all diligence performed to ensure compliance with applicable rules and regulations including those of the Office of Foreign Assets Control.” 

Governance and Programmatic Requirements.  The Proposed Amendment establishes increased obligations for management and Board-level directors through governance requirements, as well as more prescriptive programmatic requirements for covered entities.

Governance Requirements.  The Proposed Amendment imposes certain governance requirements on key corporate actors, including the Chief Information Security Officer (“CISO”) and an entity’s senior governing body (e.g., the Board):

  • CISOs – The Proposed Amendment expands the provisions regarding a CISO’s responsibilities, including directing that the CISO “timely report to the senior governing body regarding material cybersecurity issues, such as updates to the covered entity’s risk assessment or major cybersecurity events.”  The Proposed Amendment also clarifies that a CISO must have “adequate authority,” including “the ability to direct sufficient resources to implement and maintain a cybersecurity program.” 
  • Senior Governing Body –  The Amendment establishes specific requirements for an entity’s senior governing body, notably that the body must (1) “exercise oversight of, and provide direction to management on, the covered entity’s cybersecurity risk management;” (2) “require the covered entity’s executive management or its delegates to develop, implement and maintain the covered entity’s cybersecurity program;” and (3) “have sufficient expertise and knowledge, or be advised by persons with sufficient expertise and knowledge, to exercise effective oversight of cybersecurity risk management.”
  • Certifications – The Proposed Amendment expands the annual certification requirements for covered entities, and includes a new requirement that such certification “be signed by the covered entity’s highest-ranking executive and its CISO,” or the “senior officer responsible for the cybersecurity program[.]”

Programmatic Requirements.  The Proposed Amendment expands the suite of programmatic requirements a covered entity must have in place:

  • Operational Resilience and Incident Response Plans – The original regulation required a covered entity to establish a written incident response plan.  The Proposed Amendment now requires an entity to also establish business continuity and disaster recovery (BCDR) plans, with certain minimum requirements, including “procedures for the maintenance of back-up facilities, systems and infrastructure … to enable the timely recovery of data and documentation and to resume operations as soon as reasonably possible[.]”  The Proposed Amendment also calls for annual testing of both the incident response and BCDR plans, as well as the entity’s “ability to restore its systems from backups.”
  • Cybersecurity Policy Requirements – The Proposed Amendment expands the required cybersecurity policies to include, among others, data retention, end of life management, remote access, network monitoring, security awareness and training, application security, incident notification, and vulnerability management.  Separately, the Proposed Amendment expands the definition of risk assessment, requiring a number of specific considerations, including vendor risks.

Mitigating Factors.  The Proposed Amendment provides a list of fifteen factors for the Superintendent to consider when assessing penalties for violations, including factors that could mitigate the severity of any follow-on enforcement action.  Those factors are:

  1. “the extent to which the covered entity has cooperated with the superintendent in the investigation of such acts;
  2. the good faith of the entity;
  3. whether the violations resulted from conduct that was unintentional or inadvertent, reckless, or intentional and deliberate;
  4. whether the violation was a result of failure to remedy previous examination matters requiring attention, or failing to adhere to any disciplinary letter, letter of instructions, or similar;
  5. any history of prior violations;
  6. whether the violation involved an isolated incident, repeat violations, systemic violations or a pattern of violations;
  7. whether the covered entity provided false or misleading information;
  8. the extent of harm to consumers;
  9. whether required, accurate and timely disclosures were made to affected consumers;
  10. the gravity of the violations;
  11. the number of violations and the length of time over which they occurred;
  12. the extent, if any, to which the senior governing body participated therein;
  13. any penalty or sanction imposed by any other regulatory agency;
  14. the financial resources, net worth and annual business volume of the covered entity and its affiliates; and
  15. such other matters as justice and the public interest require.”

Looking Ahead.  The Proposed Amendment is subject to a 60-day comment period that expires on January 9, 2023.  Beyond New York, the Proposed Amendment follows shortly after other federal regulators, including the U.S. Securities and Exchange Commission and the U.S. Cybersecurity and Infrastructure Security Agency, have proposed enhanced cybersecurity governance, programmatic, and notification requirements.  The NYDFS Cybersecurity Regulation has served as a bellwether in the broader cybersecurity regulatory landscape, and companies should expect continued regulatory developments at the federal and state levels.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Micaela McMurrough Micaela McMurrough

Micaela McMurrough serves as co-chair of Covington’s global and multi-disciplinary Technology Group, as co-chair of the Artificial Intelligence and Internet of Things (IoT) initiative. In her practice, she has represented clients in high-stakes antitrust, patent, trade secrets, contract, and securities litigation, and other…

Micaela McMurrough serves as co-chair of Covington’s global and multi-disciplinary Technology Group, as co-chair of the Artificial Intelligence and Internet of Things (IoT) initiative. In her practice, she has represented clients in high-stakes antitrust, patent, trade secrets, contract, and securities litigation, and other complex commercial litigation matters, and she regularly represents and advises domestic and international clients on cybersecurity and data privacy issues, including cybersecurity investigations and cyber incident response. Micaela has advised clients on data breaches and other network intrusions, conducted cybersecurity investigations, and advised clients regarding evolving cybersecurity regulations and cybersecurity norms in the context of international law.

In 2016, Micaela was selected as one of thirteen Madison Policy Forum Military-Business Cybersecurity Fellows. She regularly engages with government, military, and business leaders in the cybersecurity industry in an effort to develop national strategies for complex cyber issues and policy challenges. Micaela previously served as a United States Presidential Leadership Scholar, principally responsible for launching a program to familiarize federal judges with various aspects of the U.S. national security structure and national intelligence community.

Prior to her legal career, Micaela served in the Military Intelligence Branch of the United States Army. She served as Intelligence Officer of a 1,200-member maneuver unit conducting combat operations in Afghanistan and was awarded the Bronze Star.

Photo of Ashden Fein Ashden Fein

Ashden Fein is a vice chair of the firm’s global Cybersecurity practice. He advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Ashden counsels clients…

Ashden Fein is a vice chair of the firm’s global Cybersecurity practice. He advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Ashden counsels clients on preparing for and responding to cyber-based attacks, assessing security controls and practices for the protection of data and systems, developing and implementing cybersecurity risk management and governance programs, and complying with federal and state regulatory requirements. Ashden frequently supports clients as the lead investigator and crisis manager for global cyber and data security incidents, including data breaches involving personal data, advanced persistent threats targeting intellectual property across industries, state-sponsored theft of sensitive U.S. government information, extortion and ransomware, and destructive attacks.

Additionally, Ashden assists clients from across industries with leading internal investigations and responding to government inquiries related to the U.S. national security and insider risks. He also advises aerospace, defense, and intelligence contractors on security compliance under U.S. national security laws and regulations including, among others, the National Industrial Security Program (NISPOM), U.S. government cybersecurity regulations, FedRAMP, and requirements related to supply chain security.

Before joining Covington, Ashden served on active duty in the U.S. Army as a Military Intelligence officer and prosecutor specializing in cybercrime and national security investigations and prosecutions — to include serving as the lead trial lawyer in the prosecution of Private Chelsea (Bradley) Manning for the unlawful disclosure of classified information to Wikileaks.

Ashden currently serves as a Judge Advocate in the
U.S. Army Reserve.

Photo of Mike Nonaka Mike Nonaka

Michael Nonaka is co-chair of the Financial Services Group and advises banks, financial services providers, fintech companies, and commercial companies on a broad range of compliance, enforcement, transactional, and legislative matters.

He specializes in providing advice relating to federal and state licensing and…

Michael Nonaka is co-chair of the Financial Services Group and advises banks, financial services providers, fintech companies, and commercial companies on a broad range of compliance, enforcement, transactional, and legislative matters.

He specializes in providing advice relating to federal and state licensing and applications matters for banks and other financial institutions, the development of partnerships and platforms to provide innovative financial products and services, and a broad range of compliance areas such as anti-money laundering, financial privacy, cybersecurity, and consumer protection. He also works closely with banks and their directors and senior leadership teams on sensitive supervisory and strategic matters.

Mike plays an active role in the firm’s Fintech Initiative and works with a number of banks, lending companies, money transmitters, payments firms, technology companies, and service providers on innovative technologies such as bitcoin and other cryptocurrencies, blockchain, big data, cloud computing, same day payments, and online lending. He has assisted numerous banks and fintech companies with the launch of innovative deposit and loan products, technology services, and cryptocurrency-related products and services.

Mike has advised a number of clients on compliance with TILA, ECOA, TISA, HMDA, FCRA, EFTA, GLBA, FDCPA, CRA, BSA, USA PATRIOT Act, FTC Act, Reg. K, Reg. O, Reg. W, Reg. Y, state money transmitter laws, state licensed lender laws, state unclaimed property laws, state prepaid access laws, and other federal and state laws and regulations.

Photo of Caleb Skeath Caleb Skeath

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

Caleb specializes in assisting…

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

Caleb specializes in assisting clients in responding to a wide variety of cybersecurity incidents, ranging from advanced persistent threats to theft or misuse of personal information or attacks utilizing destructive malware. Such assistance may include protecting the response to, and investigation of an incident under the attorney-client privilege, supervising response or investigation activities and interfacing with IT or information security personnel, and advising on engagement with internal stakeholders, vendors, and other third parties to maximize privilege protections, including the negotiation of appropriate contractual terms. Caleb has also advised numerous clients on assessing post-incident notification obligations under applicable state and federal law, developing communications strategies for internal and external stakeholders, and assessing and protecting against potential litigation or regulatory risk following an incident. In addition, he has advised several clients on responding to post-incident regulatory inquiries, including inquiries from the Federal Trade Commission and state Attorneys General.

In addition to advising clients following cybersecurity incidents, Caleb also assists clients with pre-incident cybersecurity compliance and preparation activities. He reviews and drafts cybersecurity policies and procedures on behalf of clients, including drafting incident response plans and advising on training and tabletop exercises for such plans. Caleb also routinely advises clients on compliance with cybersecurity guidance and best practices, including “reasonable” security practices.

Caleb also maintains an active privacy practice, focusing on advising technology, education, financial, and other clients on compliance with generally applicable and sector-specific federal and state privacy laws, including FERPA, FCRA, GLBA, TCPA, and COPPA. He has assisted clients in drafting and reviewing privacy policies and terms of service, designing products and services to comply with applicable privacy laws while maximizing utility and user experience, and drafting and reviewing contracts or other agreements for potential privacy issues.

Photo of Matthew Harden Matthew Harden

Matthew Harden is a cybersecurity and litigation associate in the firm’s New York office. He advises on a broad range of cybersecurity, data privacy, and national security matters, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, and regulatory inquiries. He…

Matthew Harden is a cybersecurity and litigation associate in the firm’s New York office. He advises on a broad range of cybersecurity, data privacy, and national security matters, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, and regulatory inquiries. He works with clients across industries, including in the technology, financial services, defense, entertainment and media, life sciences, and healthcare industries.

As part of his cybersecurity practice, Matthew provides strategic advice on cybersecurity and data privacy issues, including cybersecurity investigations, cybersecurity incident response, artificial intelligence, and Internet of Things (IoT). He also assists clients with drafting, designing, and assessing enterprise cybersecurity and information security policies, procedures, and plans.

As part of his litigation and investigations practice, Matthew leverages his cybersecurity experience to advise clients on high-stakes litigation matters and investigations. He also maintains an active pro bono practice focused on veterans’ rights.

Matthew currently serves as a Judge Advocate in the U.S. Coast Guard Reserve.