The New York Department of Financial Services (NYDFS) presented new amendments last month to help “ratchet up” its cybersecurity requirements for financial institutions headquartered in the state, signaling potential heightened regulations for all U.S. banks.
New York has long been a pacesetter in terms of “codifying” cybersecurity and other regulatory rules for financial institutions. Even going back to 2015, New York state has taken a leading role in setting cybersecurity regulations and guidance for financial institutions. In 2017, the NYDFS took a "catalytic” role in settling cybersecurity rules and guidance.
“The cybersecurity landscape has evolved in the past five years, and the Draft Amendments demonstrate that DFS continues to take a forward-leaning role in strengthening cybersecurity practices,” according to a blog post on the Gibson Dunn website.
The recent NYDFS proposals increased expectations for senior leaders, heightened technology requirements, an expanded set of events covered under the mandatory 72-hour notification requirements, a new 24-hour reporting requirement for ransom payments and a 30-day submission of defenses, significant new requirements for business continuity and disaster recovery, and heightened annual certification and assessment requirements.
Also, the amended regulations would propose a new class comprising larger entities, which will be subject to increased obligations for their cybersecurity programs. Even the definition of a "cybersecurity program" has been expanded to include coverage of nonpublic information stored on those information systems — a substantial increase in covered information that will have significant downstream effects on reporting and certification requirements.
Here are some key provisions of the NYDFS amendments:
More stringent notification obligations
The draft amendments establish additional requirements on top of DFS’s existing 72-hour notification requirements, including:
Requiring notification to DFS within 72 hours of unauthorized access to privileged accounts or the deployment of ransomware within a material part of the company’s information systems. These are in addition to the existing requirements to notify DFS within 72 hours of any cybersecurity events that require notice to a supervisory body or that have a reasonable likelihood of materially harming a material part of the company’s normal operations. Notably, these newly proposed requirements would significantly lower the notification threshold, as they could be triggered before any sign of actual data compromise or exfiltration.
A new 24-hour notification obligation in the event a ransom payment is made, and a 30-day requirement to provide a written description of why the payment was necessary, alternatives to payment that were considered, and all sanctions diligence conducted.
Heightened requirements for larger “Class A” companies
Adhering to the mantra “with great data comes great responsibility,” the draft amendments also increase cybersecurity obligations for a newly defined class of larger entities, which are under DFS’s authority. These “Class A” companies are defined as entities with over 2,000 employees or over $1 billion in gross annual revenue average over the last three years from all business operations of the company and its affiliates. Under the draft amendments, Class A companies are required to comply with heightened technical requirements as well as risk assessments and audits. They must:
- Conduct weekly systematic scans or reviews reasonably designed to identify publicly known cybersecurity vulnerabilities, and document and report any material gaps in testing to the board and senior management;
- Implement an endpoint detection and response solution to monitor anomalous activity, and a solution that centralizes logging and security event alerting;
- Monitor access activity and implement a password vaulting solution for privileged accounts and an automated method of blocking commonly used passwords;
- Conduct an annual, independent audit of their cybersecurity programs; and
- Use external experts to conduct a risk assessment at least once every three years.
Increased obligations on company governing bodies
The original Part 500 regulations imposed a number of new obligations on companies’ governing bodies, including the need for a chief information security officer (CISO) or equivalent personnel, detailed cybersecurity reporting to the board, and written policies approved by a senior officer. The draft amendments enhance in a very meaningful way many of the Part 500 governance requirements, further indicating how important DFS views strong governance in the quest for effective cybersecurity. The draft amendments include obligations:
- To ensure the boards of covered entities have sufficient expertise and knowledge, or be advised by persons with sufficient expertise and knowledge, to exercise effective oversight of cyber risk;
- To provide the CISO with adequate independence and authority to appropriately manage cyber risks;
- That the CISO will provide the board with additional detailed annual reporting on plans for remediating issues and material cybersecurity issues or events;
- That the CISO will annually review the feasibility of encryption and the effectiveness of any compensating controls for any unencrypted nonpublic information;
- That covered entities’ cybersecurity policies must be approved by the board on an annual basis; and
- That add significantly to the annual certification requirements, requiring covered entities to not only certify to their compliance or acknowledge any noncompliance, but also provide sufficient data and documentation to accurately determine and demonstrate compliance, and have such certification or acknowledgment of noncompliance be signed by both the CEO and the CISO.
The draft amendments also provide an option for covered entities to submit written acknowledgement that, for the prior calendar year, they did not fully comply with their cybersecurity obligations. Covered entities who submit this acknowledgment will be required to identify all the provisions of the compliance rules that were not followed, describe the nature and extent of the noncompliance, and identify all the areas, systems, and processes that require material improvement, updating, or redesign.
These additional reporting requirements are substantial, and would greatly increase the burden on CEOs, CISOs, and other personnel involved in the preparation of these annual certifications or acknowledgements.
Expanded requirements for operational resilience and incident response
The draft amendments expand measures directed at “operational resilience” beyond incident response plans, requiring covered entities to also have written plans for business continuity and disaster recovery (BCDR). Notably, the original Part 500 cybersecurity regulations were the first of its kind to stipulate detailed requirements for cybersecurity incident response plans. Again, DFS is breaking similar ground with BCDR plans, requiring proactive measures to mitigate disruptive events by, at a minimum:
- Identifying business components essential to continued operations (documents, data, facilities, personnel, and competencies) and personnel responsible for implementation of the BCDR plans;
- Preparing communications plans to ensure continuity of communications with various stakeholders (leadership, employees, third parties, regulatory authorities, others essential to continuity);
- Maintaining procedures for the back-up of infrastructure and data; and
- Identifying third parties necessary to continued operations.
Furthermore, DFS has proposed a significant revision to its requirements for incident response plans, requiring that they differentiate based on incident type (e.g., ransomware), while continuing to require that such plans address the previously enumerated areas (e.g., internal response processes; incident response plan goals; definitions of clear roles, responsibilities and levels of decision-making authority; communications and information sharing; identification of remediation requirements; documentation and reporting, etc.) as well as the newly added requirement to address recovery from backups.
Under the draft amendments, relevant personnel must receive copies of the incident response plan and BCDR plan, copies must be maintained offsite, and all personnel involved in implementation of the plans must receive appropriate training. In addition, covered entities are required to conduct incident response and BCDR exercises.
Enhanced technology and policy requirements
The draft amendments strengthen technical requirements and written policy requirements for covered entities, codifying certain best practices in key cyber risk areas. The draft amendments specifically:
- Clarify the definition of “privileged accounts” as covering any account that can be used to perform security-relevant functions that ordinary users are not authorized to perform, or affect a material change to technical or business operations. Under the proposals, privileged accounts must:
- Have multi-factor authentication (with exceptions for certain service accounts); and
- Be limited in both number and access functions to only those necessary to perform the user’s job;
- Be limited in use to only when performing functions requiring their use of such access;
- Require stricter access management, including periodic review of all user access privileges and removal of accounts and access that are no longer necessary, as well as disabling or securely configuring all protocols that permit remote control of devices;
- Require that emails are monitored and filtered to block malicious content from reaching authorized users;
- Mandate penetration testing be conducted by an independent party at least annually, and also adjust the required frequency of vulnerability assessments from bi-annually to “regular[ly],” with Class A companies conducting weekly scans as noted above;
- Require the use of strong, unique passwords — and Class A companies have additional requirements, as discussed above, relating to passwords and monitoring of access activity;
- Require multi-factor authentication for remote access to the network and enterprise and third-party applications that access nonpublic information; and
- Mandate that covered entities must maintain backups isolated from network connections.
The draft amendments also contain new measures for asset inventory and management, which may cost companies significant time and resources to implement. These measures require all covered entities to:
- Implement written policies and procedures to ensure a complete and documented asset inventory for all information systems and their components (e.g., hardware, operating systems, applications, infrastructure devices, APIs, and cloud services); and
- Have asset inventory that must, at a minimum, track each asset’s key information (e.g., owner, location, classification or sensitivity, support expiration date, and recovery time requirements).
The draft amendments further require additional written cybersecurity policies to include procedures for end of life management, remote access, and vulnerability and patch management. Notably, despite the prominence of recent supply chain cybersecurity attacks, there are not substantive changes to the Part 500 requirements relating to third-party service providers.
Increased requirements for risk assessments, impact assessments
The draft amendments further expand the requirements for and definition of “risk assessment” to make clear that they must be:
- Tailored to consider the “specific circumstances” of the covered entity, including size, staffing, governance, businesses, services, products, operations, customers, counterparties, service providers, vendors, other relations and their locations, as well as the geographies and locations of its operations and business relations; and
- Updated at least annually.
While DFS has not changed the core cybersecurity functions that must be covered by the risk assessment per se, covered entities will need to ensure that it covers the broadened scope of “cybersecurity program” under the draft amendments (nonpublic information stored on the covered entity’s information systems). Furthermore, another substantial proposal is the requirement that covered entities must conduct impact assessments whenever a change in the business or technology causes a material change to the covered entity’s cyber risk.
Clarified enforcement considerations
Finally, the draft amendments contain two significant clarifications regarding the enforcement of the Part 500 Cybersecurity Rules:
- A violation occurs by committing any act prohibited by the regulations or failing to satisfy a required obligation. This includes the failure to comply for more than 24 hours with any part of the regulations or the failure to prevent unauthorized access to nonpublic information due to noncompliance with the regulations.
- DFS may consider certain aggravating and mitigating factors when assessing the severity of penalties, including: cooperation, good faith, intentionality, prior violations, number or pattern of violations, gravity of violation, provision of false or misleading information, harm to customers, accuracy and timeliness of customer disclosures, participation of senior management, penalties by other regulators, and business size.