The New York Department of Financial Services (“NYDFS”) recently posted a request for public comment on a set of proposed amendments to NYDFS’ current “Cybersecurity Requirements for Financial Services Companies” (“Regulations”). The amendments to the Regulations (“Pre-Proposal Amendments”) are in the “pre-proposal” phase, meaning that the NYDFS will issue official proposed amendments in the near future. Once official proposed amendments are issued, a 60-day public comment period starts, which means that amended Regulations likely will take effect sometime in 2023. In the meantime, entities subject to the Regulations should review the Pre-Proposal Amendments to help ensure sufficient time and resources to implement new requirements.
As background, the Regulations became effective on March 1, 2017, but followed a phased implementation process. The Regulations apply to all entities licensed by the NYDFS (“covered entities”), including banks, insurance companies, money transmitters and other financial services firms doing business in New York. The last phase of the Regulations was implemented in March 2019, at which point the Regulations were fully effective.
Notable changes to the Regulations in the Pre-Proposal Amendments include:
New category of covered entity: Class A companies. The Pre-Proposal Amendments introduce a new category of “Class A companies,” which are covered entities that either have more than 2,000 employees or an average gross annual revenue of more than $1.0 billion over the previous three fiscal years. The threshold for Class A companies is based on the total number of employees or average gross revenue for the combined “business operations of the covered entity and all of its affiliates.”
The Pre-Proposal Amendments would add new compliance requirements for a Class A company, which must:
- conduct an annual independent audit of its cybersecurity program. The new defined term for “independent audit” allows for an internal auditor if the auditor is “free to make [his/her/their] decisions”;
- retain an external auditor to conduct a cybersecurity risk assessment at least once every three years;
- perform at least weekly system scans or reviews as well as the currently required bi-annual vulnerability assessments;
- monitor access activity for privileged accounts (a new defined term) and implement a password vaulting solution for such privileged accounts that automatically blocks “commonly used passwords” unless otherwise approved in writing by the entity’s Chief Information Security Officer (“CISO”); and
- implement a centralized endpoint detection and response solution to monitor and log anomalous activity and provide alerts in the instance of a security event unless otherwise approved in writing by the CISO.
New requirements for CISOs. The Pre-Proposal Amendments provide that a covered entity’s CISO must:
- have “adequate independence and authority to ensure that cybersecurity risks are appropriately managed”;
- timely report to the covered entity’s Board of Directors regarding material cybersecurity issues, such as updates to the covered entity’s risk assessment, plans for remediating inadequacies identified in the risk assessment and major cyber events; and
- submit (with the covered entity’s CEO) an annual certification that the covered entity has complied with the Regulations. Alternatively, if the covered entity has not complied, the CISO and CEO must acknowledge the non-compliance and identify the part(s) of the Regulations that were not satisfied and the nature and extent of the non-compliance.
New governance requirements. The Pre-Proposal Amendments contain a number of new governance requirements for covered entities, including requirements that a covered entity’s Board of Directors (or an appropriate committee of the Board):
- be directly involved in the preparation for and resolution of cybersecurity incidents;
- approve cybersecurity policies each year;
- require senior management to develop, implement, and maintain an information security program for the covered entity;
- possess sufficient expertise and knowledge, or employ someone to advise them with sufficient expertise and knowledge, to effective exercise oversight of cybersecurity risk; and
- receive reports, along with senior management of the covered entity, as to “material gaps” in the covered entity’s cybersecurity practices that are identified during testing.
Annual risk assessments for all covered entities. The Regulations currently require covered entities to perform periodic risk assessments of their cybersecurity posture. The Pre-Proposal Amendments require a covered entity to (i) update its risk assessment at least annually and (ii) conduct an “impact assessment” whenever a change in the business or technology causes a material change to the covered entity’s cybersecurity risk. In addition, the Pre-Proposal Amendments specify that a “qualified independent party” performs the annual penetration test that all covered entities are required to perform; the term “qualified independent party” is not defined.
Treatment of privileged accounts. The Pre-Proposal Amendments introduce the term “privileged account,” which is defined as “any authorized user or service account” that can be used to “perform security-related functions ordinary users are not authorized to perform” or affect a material change to “the technical or business operations” of the covered entity. The Pre-Proposal Amendments impose on covered entities obligations to:
- require multi-factor authentication (a defined term in the Regulations and the subject of December 2021 guidance) in order to gain access to privileged accounts, except for service accounts;
- limit the number of privileged accounts;
- limit the access functions of privileged accounts to only those necessary to perform the account user’s job;
- limit the use of privileged accounts to those functions requiring the use of such access; and
- notify NYDFS within 72 hours of a cybersecurity event where an unauthorized user has gained access to a privileged account.
New disaster recovery and business continuity requirements. The Pre-Proposal Amendments clarify that the cybersecurity program must include a business continuity and disaster recovery (“BCDR”) plan designed to ensure the availability and functionality of the covered entity’s services and protect the covered entity’s personnel, assets, and nonpublic information in the event of an emergency or other disruption to its normal business activities.
The BCDR plan must include:
- documentation of the data, facilities, infrastructure, personnel, and competencies essential to the continued operations of the covered entity’s business;
- a procedure for communicating with essential personnel in the event of an emergency or other disruption to the operations of the covered entity and for maintaining back-up facilities, systems, infrastructure, alternative staffing and other resources to enable resumption of operations as soon as reasonably possible;
- training for those employees responsible for implementing the BCDR plan and the proper incident response for their role and responsibilities;
- periodic testing of the covered entity’s incident response plan with senior management (including the CEO) and relevant personnel critical to the recovery effort and ability to restore their systems from back-ups; and
- back-ups isolated from network connections.
New requirements for ransomware attacks. Not surprisingly, given the NYDFS’ 2021 ransomware prevention guidance and SolarWinds risk alert, the Pre-Proposal Amendments specifically address ransomware attacks, requiring covered entities to:
- notify the NYDFS electronically no later than 72 hours after a cybersecurity event that resulted in the deployment of ransomware within a material part of the covered entity’s information systems; and
- notify the NYDFS within 24 hours of an extortion payment being made in connection with a cybersecurity event, which notice must include a written description of why the payment was necessary, what alternatives were considered, and all compliance due diligence performed within 30 days of payment.
The Pre-Proposal Amendments share features with both last year’s amendments from the Federal Trade Commission to the Standards for Safeguarding Customer Information under the Gramm-Leach-Bliley Act (“Safeguards Rule,” see our overview here) and the SEC’s proposed “Rules for Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure,” published on March 9, 2022. All three emphasize the importance of risk assessments, accountability and Board involvement, testing and monitoring (including penetration testing), and updates to cybersecurity policies and procedures as needed to reflect changes to the risk landscape and past incidents. Collectively, they also reflect the general trend toward increased regulatory scrutiny of cybersecurity risk management, which seemed to peak in the aftermath of 2020’s announcement of the SolarWinds ransomware attack and the resulting Executive Order on Improving the Nation’s Cybersecurity, issued by President Biden in May 2021.
We will follow the NYDFS’ process of amending the Regulations, as well as other key cybersecurity developments. Please do not hesitate to reach out to the authors or your usual Squire Patton Boggs contact for further information.