On Nov. 9, 2022, the New York State Department of Financial Services (NYDFS) published a proposed second amendment to its cybersecurity regulation. This follows its pre-proposed amendment that was published on July 29. Our prior analysis of those amendments is available here. NYDFS did consider comments received in response to the pre-proposed amendments, as they clarify and strengthen certain requirements. We highlight some of the key changes.
Additional Incident-Reporting Requirements
The first pre-proposed amendment requires notification to NYDFS within 72 hours of unauthorized access to privileged accounts or the deployment of ransomware within a material part of a covered entity’s information systems. The amendment also proposed a new 24-hour notification obligation in the event a ransom payment is made and a 30-day requirement to provide a written description of why the payment was necessary, alternatives considered and sanctions diligence conducted. Those stringent timelines are maintained in the second amendment, with additional reporting requirements:
- 90 days – Within 90 days of the notice of the cybersecurity event, each covered entity shall provide the superintendent any information requested regarding the investigation of the cybersecurity event, to be sent electronically in the form set forth on the department’s website. Covered entities shall have a continuing obligation to update and supplement the information provided.
- 72 hours – Each covered entity that is affected by a cybersecurity event at a third-party service provider shall notify the superintendent electronically in the form set forth on the department’s website as promptly as possible, but in no event later than 72 hours from the time the covered entity becomes aware of such cybersecurity event.
Revised Definition of Class A Companies
The original proposed amendment created the new category of “Class A” companies, defined as covered entities with more than 2,000 employees or over $1 billion in gross annual revenue averaged over the past three years from all business operations of the company and its affiliates.
The second amendment revises that definition. Class A companies are now those covered entities with at least $20 billion in gross annual revenue in-state in each of the past two fiscal years from business operations of the covered entity and its affiliates:
- More than 2,000 employees averaged over the past two fiscal years, including those of both the covered entity and all of its affiliates, no matter where located; or
- More than $1 billion in gross annual revenue in each of the past two fiscal years from all business operations of the covered entity and all of its affiliates.
The changes in the second amendment may result in excluding from the Class A definition certain covered entities that have a small presence in New York, and they also shift the focus on gross annual revenue averaged over three years.
Additionally, the second proposed amendment modifies the definition of an “independent audit,” which is to be conducted by an external auditor, not an internal auditor.
The pre-proposed amendment required the chief information security officer (CISO) to have adequate independence and authority to appropriately manage cyber risks. The second proposed amendment removes the CISO independence requirement. It does require the CISO to have the ability to direct sufficient resources to implement and maintain a cybersecurity program. The second proposed amendment also:
- Only requires that the CISO’s annual board reports consider (as opposed to expressly address) certain factors (i.e., the confidentiality of nonpublic information and the integrity and security of the covered entity’s information systems, the covered entity’s cybersecurity policies and procedures, plans for remediating material inadequacies, etc.).
- Removes the obligation included in the pre-proposed amendment that the CISO annually review the feasibility of encryption of nonpublic information at rest and the effectiveness of compensating controls.
- Changes the obligation that both the CEO and the CISO sign an annual certification or acknowledgment of noncompliance to a requirement that the “highest-ranking executive” and the CISO sign.
- Clarifies that the role of the board (or its equivalent or the appropriate committee) shall also include exercising oversight of and providing direction to managers on cybersecurity risk management.
Penetration Testing and Vulnerability Assessments
The second proposed amendment makes significant changes to the strengthened technical and written policy requirements detailed in the pre-proposed amendment. Those technical requirements for penetration testing, vulnerability management and access controls include:
- Requiring user access privileges for privileged accounts be reviewed at least annually and terminated upon employee departure.
- Having the required penetration testing be conducted by either a qualified internal or external independent party, which must include testing from both inside and outside the information system’s boundaries.
- Replacing the pre-proposed amendment’s exception to multifactor authentication for service accounts with an exception where the CISO approves a reasonably equivalent or more secure control, and otherwise requiring multifactor authentication for (i) remote access to the covered entity’s information systems, (ii) remote access to third-party applications from which nonpublic information is accessible and (iii) all privileged accounts.
- Replacing the pre-proposed amendment requirement for “strong, unique passwords” with a requirement to implement a “written password policy that meets industry standards.”
The pre-proposed amendment expanded the requirements for and definition of “risk assessments.” These changes have been maintained in the second amendment. The pre-proposed amendment required that covered entities review and update risk assessments annually and conduct impact assessments whenever a change in the business or technology causes a material change in the covered entity’s cyber risk. The requirement for impact assessments has been removed in the second amendment.
Incident Response Plan and BCDR Plan
A covered entity would be required to provide relevant training on its incident response plan and its business continuity disaster recovery (BCDR) plan to all employees necessary to implement such plans, and it must test both plans at least annually. In the second proposed amendment, NYDFS removed the proposed requirement that copies of the incident response and BCDR plans be maintained at one or more accessible off-site locations, and it clarified that the incident response plan and BCDR plan must be both distributed to and accessible by all employees necessary to implement them. Covered entities are also required to maintain backups adequately protected from unauthorized alterations or destruction (instead of “isolated from network connections,” as the pre-proposed amendments had required).
The second proposed amendment continues to illustrate NYDFS’s leading role in requiring covered entities to strengthen their cybersecurity practices. Covered entities should assess their cybersecurity practices to ensure they have adequate controls in place to comply with these anticipated regulatory changes. The 60-day public comment period to the proposed amended regulation ends on Jan. 9, 2023.