On July 29, the New York Department of Financial Services (NYDFS) released Draft Amendments to its Part 500 Cybersecurity Rules that include a number of significant amendments to the rules, including notification requirements such as a mandatory 24-hour notification for cyber ransom payments, specific requirements for newly defined larger entities, increased expectations for oversight of cybersecurity risk, additional requirements for incident response plans (IRPs), business continuity and training, risk assessments, and new technical requirements. The Draft Amendments can be found here. The 10-day pre-proposal comment period would have ended today, Aug. 8, 2022, but NYDFS has extended the comment period for an additional 10 days, with a new deadline of Aug. 18, 2022. The official proposed amendments will be published following the comment period.
NYDFS Cybersecurity Event Notifications
The Draft Amendments create several new notification requirements:
- A 72-hour obligation to notify NYDFS of any cybersecurity event in which an unauthorized user has gained access to a privileged account or any cybersecurity event that results in the deployment of ransomware within a material part of the covered entity’s information systems.
- A 24-hour obligation to notify NYDFS of any extortion payment connected with a cybersecurity event, as well as a 30-day reporting requirement explaining why payment was necessary, alternatives that were considered and the sanctions diligence that was conducted.
Class A Companies
The Draft Amendments create a new category of “Class A” companies, which are covered entities with over 2,000 employees or over $1 billion in gross annual revenues averaged over the past three years from all business operations of the company and its affiliates. Class A companies are subject to several additional cybersecurity obligations, including the following:
- An independent audit of the company’s cybersecurity program must be conducted at least annually.
- External experts must be engaged at least once every three years to conduct a risk assessment.
- Systematic scans or reviews of information systems must be conducted at least weekly, and any material gaps found during testing must be documented and reported to the board and senior management.
- A password vaulting solution must be implemented for privileged accounts, along with an automated method of blocking commonly used passwords, unless the CISO approves in writing the use of reasonably equivalent or more secure access controls. Privileged access activity must also be monitored.
- An endpoint detection and response solution must be implemented to monitor anomalous activity, including lateral movement, as well as centralized logging and security event alerting.
The Draft Amendments provide several additions to the Part 500 governance requirements:
- The CISO must have adequate independence and authority to appropriately manage cyber risks.
- The CISO will need to provide additional annual reporting to the board on plans for remediating inadequacies, as well as timely reporting to the board on material cybersecurity issues or major cybersecurity events.
- The board will be required to have sufficient expertise and knowledge (or be advised by persons with sufficient expertise and knowledge) to exercise effective oversight of cyber risk.
- The board will be required to approve the company’s cybersecurity policies.
- Covered entities must periodically test their (1) IRPs with all staff who are critical to the response, including senior officers and the CEO; (2) business continuity and disaster recovery plans (BCDR plans) with all staff who are critical to the continuity and response effort, including senior officers; and (3) ability to restore their systems from backups. IRPs must address ransomware incidents and include recovery from backups.
The Draft Amendments make several changes to the risk assessment requirements in Part 500, including:
- Assessments will be required to be tailored to the specific organization: “Risk assessment means . . . the process of identifying cybersecurity risks to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, customers, consumers, other organizations, and critical infrastructure resulting from the operation of an information system. Risk assessments shall take into account the specific circumstances of the covered entity, including but not limited to its size, staffing, governance, businesses, services, products, operations, customers, counterparties, service providers, vendors, other relations and their locations, as well as the geographies and locations of its operations and business relations . . . .”
- The risk assessments must be updated annually and an impact assessment must be conducted whenever a change in the business or technology causes a material change to the company’s cyber risk.
Incident Response Plans, Business Continuity and Training
The Draft Amendments make changes to the existing requirement for covered entities to have an IRP. The Draft Amendments would require that covered entities have written plans that include proactive measures to mitigate disruptive events and ensure operational resilience.
- The current version of the Cybersecurity Rules requires covered entities to have an IRP that is designed to promptly respond to and recover from any cybersecurity event materially affecting the covered entity’s information systems or the continuing functionality of any aspect of the covered entity’s business or operations. The Draft Amendments would also require that IRPs address recovery from backups in the event of a ransomware incident and contain plans for updating the IRP as necessary. In addition, the Draft Amendments require that covered entities periodically test their IRPs with all staff critical to the response, including senior officers and the CEO, and revise the plan as necessary.
- The Draft Amendments require covered entities to implement a BCDR plan that is reasonably designed to ensure the availability and functionality of the covered entity’s services and protect the covered entity’s personnel, assets, and nonpublic information in the event of an emergency or other disruption to its normal business activities. In addition to the below, covered entities would be required to periodically test their BCDR plans with all staff critical to the continuity and response effort, including senior officers.
- BCDR plans must include, at a minimum:
- Identification of documents, data facilities, infrastructure, personnel, and competencies essential to the continued operations of the covered entity’s business.
- Identification of the personnel responsible for the implementation of each aspect of the plan.
- A plan to communicate with essential persons in the event of an emergency or other disruption to the covered entity’s operations.
- Procedures for appropriate maintenance and staffing of backup facilities, systems, and infrastructure, as well as other resources to enable the timely recovery of data and to resume operations as soon as reasonably possible.
- Procedures for the backup or copying, with sufficient frequency, of documents and data essential to the operations of the covered entity, and for storing the information offsite.
- Identification of third parties necessary to the continued operations of the covered entity’s business.
- These plans must be distributed to all relevant employees and copies must be maintained at one or more accessible off-site locations.
- Training must be provided to all employees responsible for implementing the plans.
The Draft Amendments also add several new technology requirements, including:
- Policies and procedures to ensure a complete asset inventory that tracks information (e.g., owner, location, classification or sensitivity, support expiration date, and recovery time requirements) for all hardware, operating systems, applications, infrastructure devices, APIs and cloud services.
- Privileged accounts requirements, including that (1) the access functions of privileged accounts be limited to only those necessary to perform the user’s job function; (2) multifactor authentication (MFA) be set up for all privileged accounts, except for certain service accounts; and (3) all protocols that permit remote control of devices be disabled or securely configured.
- Each covered entity would be required to maintain backups isolated from network connections.
The current version of the Cybersecurity Rules permitted a CISO to approve in writing the use of reasonably equivalent alternative controls for external access to a covered entity’s internal network. The Draft Amendments would remove this discretion and require MFA for all remote access to the network as well as for enterprise and third-party applications from which nonpublic information is accessible.
- Implement MFA for remote access and access to applications storing nonpublic information.
- Implement IRPs and BCDR plans.
- IRPs and BCDR plans are separate and are intended to address different types of organizational risks. They should be used in conjunction when responding to a cybersecurity incident.
- Periodically test these plans by holding tabletop exercises.
- Develop – and test – a backup communications plan in the event that normal methods of communication are unavailable or insecure.
- Consider developing an asset inventory now, as it takes time to develop.
- NYDFS has in the past issued fines for what it deemed to be misrepresentations made in companies’ annual certifications. This has been a challenging area for companies that identified and addressed a compliance issue but, pursuant to guidance from NYDFS, could not certify compliance for that year (because they had not been compliant for the entire year). The Draft Amendments would allow for an acknowledgement of less-than-full compliance with an identification of the specific deficiencies, but companies must be prepared to provide the NYDFS with their documentation of remedial efforts planned and underway, along with a timeline for implementation of those efforts.
- The Draft Amendments will likely take effect in 2023, and companies should consider the budget needed to comply with the additional proposed requirements.