Monday, August 8, 2022
NYSDFS Proposes New Cybersecurity Requirements
On July 29, 2022, the Superintendent of the New York State Department of Financial Services (“NYSDFS”) issued a proposed amendment to 23 NYCRR Part 500, otherwise known as the NYSDFS Cybersecurity Regulation. The NYSDFS joins the list of regulators who have proposed updates to cybersecurity regulations in the last twelve months (e.g., the FTC’s amendment to the Safeguards Rule and the SEC’s proposed rule on cybersecurity requirements disclosure), adding to the ever-increasing compliance burden that financial institutions face.
The NYSDFS amendments, if codified, would impose several new obligations on covered entities. We’ve highlighted some of the key changes below. The full text of the proposed amendment can be found here.
New Class A Category Requirements
The proposed amendment would create a new type of covered entity – a Class A company. Class A companies are covered entities who either have over 2,000 employees or average $1 billion in gross annual revenue over the last three fiscal years (from both the covered entity and its affiliates, in the aggregate).
Class A companies would be subject to additional cybersecurity measures in excess of the baseline requirements already in effect. These additional measures would include:
- Conducting an independent audit of its cybersecurity program at least once a year;
- Conducting systematic vulnerability scans at least weekly, with the discovery of any material findings properly documented and reported;
- Monitoring privileged account activity through the implementation of specific access controls for passwords, including a password vaulting solution for privileged accounts and automated blocking of commonly used passwords;
- Implementing endpoint detection and response (EDR) and Security Information and Event Management (SIEM) solutions.
Additional Baseline Requirements for All Covered Entities
The proposed amendment also includes changes to a covered entity’s general cybersecurity governance, new technological directives and access controls, and revised reporting requirements.
- Covered entities must now have a senior governing body responsible for the cybersecurity program, and this senior governing body should receive timely reports from a CISO on material cybersecurity issues and approve written cybersecurity policies on an annual basis.
- If a covered entity has a board of directors, the board’s members should have sufficient cybersecurity expertise and direct executive management to develop, implement and maintain the information security program.
- Covered entities must establish and periodically test a business continuity & disaster recovery (BCDR) plan that addresses areas like critical personnel, network configuration, communication strategies, and back-up posture.
- Covered entities should periodically test their incident response plans with critical staff that includes senior officers and the CEO.
- In addition to performing an annual risk assessment, covered entities should also conduct an impact assessment whenever material changes in business or technology could impact their cyber risk.
- Covered entities should ensure that material gaps identified from penetration tests and vulnerability assessments are documented and reported to senior management.
Technological Directives and Access Controls
- Covered entities should implement multi-factor authentication for remote access to network and third-party applications that store nonpublic information.
- Covered entities should monitor and filter emails as a means to block malicious content, while also providing regular phishing training to users.
- Covered entities should limit the number and use of privileged accounts to necessary job duties, as well as periodically review and remove access/accounts where no longer necessary.
Revised Reporting Requirements
- Two new examples of a cybersecurity event that would require reporting to the Superintendent within 72 hours – unauthorized access to a privileged account and a ransomware attack.
- Covered entities who have made an extortion payment in connection with any cybersecurity event shall submit electronic notice of payment to the Superintendent within 24 hours of payment and a written description of reasons why payment was necessary within 30 days of payment.
Violations and Penalty Assessment
The amendment also clarifies the department’s enforcement capabilities. Namely, the performance of a single prohibited act or failure to comply with any obligation is a de facto violation. Secondarily, the assessment of any penalty would include mitigating factors, such as the extent of cooperation, good faith efforts, and violations arising from unintentional or inadvertent conduct.
Amendment in Effect
The next few months will feature pre-proposal and official proposal commentary periods whereby any interested party can address the language of the amendment. Thereafter, the amendment would not take effect until at least 180 days from the date of adoption. As a result, a revised NYSDFS Cybersecurity Regulation is unlikely to go into effect until 2023.
To learn more about how Maynard can help with your NYSDFS and other cybersecurity compliance efforts, please contact a team member in our Cybersecurity & Privacy Practice Group.