On July 29, 2022, the New York Department of Financial Services (NYDFS) published the pre-proposed second amendment to its Cybersecurity Regulations, 23 NYCRR 500 (Part 500), that if adopted, would likely require numerous policy and operational changes. NYDFS sought comments to the pre-proposal through August 18, 2022. Although this amendment has been long-anticipated, the next step will be for NYDFS to formally publish the second amendment.
Effective in 2017, Part 500 was a first-of-its-kind state regulation that created mandatory cybersecurity and risk management regulations for “covered entities.” Part 500 defines Covered Entities as persons operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.
As originally enacted, Part 500 imposed rigorous standards to enhance cybersecurity posture through requirements such as the maintenance of a cybersecurity program and policies, and the designation of a Chief Information Security Officer.
The pre-proposed second amendment includes significant changes to the original language, with several notable areas likely to have a material impact on companies. Here are highlights of what covered entities need to know about the pre-proposal:
Class A Companies. Covered entities that have either over 2,000 employees or over $1,000,000,000 in gross annual revenue (including affiliates’ employees and revenue) would be classified as Class A Companies. Class A Companies would be subject to unique requirements including increased monitoring and password requirements, weekly systematic scans or reviews of information systems, annual independent audits of cybersecurity program(s), and at least every three years, risk assessments conducted by external experts.
CEO Signature. A covered entity’s annual compliance certification requirement would remain, but with several notable differences. First and most notably, the covered entity’s CEO and CISO would be required to sign the certification. Second, notice of compliance must be based on data and documentation sufficient to demonstrate such compliance. Third, a covered entity would have the option, instead of submitting a certification of compliance, to submit a written acknowledgement that it was not fully in compliance.
Executive Management Involvement. While the original language of Part 500 requires a covered entity to address information security in its cybersecurity policy, if a covered entity has a board of directors, the board (or a committee thereof) would now need to delegate the development, implementation and maintenance of the covered entity’s information security program to the executive management (or its delegates).
Chief Information Security Officer (CISO). The CISO would be required to report in writing, at least annually, not only on the cybersecurity program, but also on plans for remediating inadequacies therein. The annual report would also be required to include (while the original language of Part 500 only requires these elements be considered) the confidentiality of nonpublic information and the integrity and security of the covered entity’s information systems, the covered entity’s cybersecurity policies and procedures and material cybersecurity risks to the covered entity, the overall effectiveness of the covered entity’s cybersecurity program, and material cybersecurity events involving the covered entity during the time period addressed by the report.
Cybersecurity Program. A covered entity’s cybersecurity program would be required to include a written policy requiring encryption that meets industry standards to protect nonpublic information, and to review the feasibility of encryption and effectiveness of the controls annually. In addition, the CISO would be required annually to (as opposed to periodically) review, assess and update its cybersecurity program procedures, guidelines and standards.
Third-Party Service Providers Security Policies. An agent, employee, representative or designee of a covered entity who itself is also a covered entity would no longer be exempt from developing its own third-party information security policy.
Multi-Factor Authentication. Multi-Factor authentication (MFA) would be required for all remote access to a covered entity’s network, enterprise and third-party applications from which nonpublic information is accessible. MFA would also be required for access to all privileged accounts except for service accounts that prohibit interactive login for which the CISO has approved in writing reasonable equivalent security controls.
Monitoring and Training. Covered entities would be required to monitor and filter emails to block malicious content from reaching authorized users. In addition, a covered entity’s cybersecurity training must include phishing training.
Operational Resilience. Covered entities would be required to not only have an incident response plan, but also a business continuity plan and disaster recovery plan. In addition, there would be required distribution of these plans to all employees, training, periodic testing of the plans and maintaining backups isolated from network connections.
Notice to Superintendent. The 72-hour notice requirement of a cybersecurity event would remain, but there would be two additional triggers for such notice: cybersecurity events where an unauthorized user has gained access to a privileged user account, and cybersecurity events that resulted in deployment of ransomware within a material part of the covered entity’s information system.
Covered entities would also need to provide notice to the superintendent within 24 hours of making an extortion payment in connection with a cybersecurity event, including “a written description of the reasons payment was necessary, a description of alternatives to payment considered, all diligence performed to find alternatives to payment, and all diligence performed to ensure compliance with applicable rules and regulations including those of the Office of Foreign Assets Control.” Such notices to the superintendent would be done electronically through the NYDFS website unless the covered entity seeks an exemption from electronic filing via the proposed provision in §500.24.
Exemptions. The same limited exemption provision remains but would be amended slightly to exempt covered entities with fewer than 20 employees (instead of 10), and to covered entities with less than $15,000,000 in year-end total assets (instead of $10,000,000). In addition, where a covered entity ceases to qualify for an exemption, the timeline to become compliant with the regulation would be shortened from 180 days to 120 days.
Enforcement. The enforcement provision is broadened, now stating that “a single act” or failure to act contrary to the requirements of the regulation constitutes a violation. It also includes some of the factors the superintendent may consider when assessing any penalty for a violation such as good faith of the entity, history of prior violations, the extent of harm to consumers, the number of violations and whether the covered entity provided false or misleading information.
We will continue to monitor and report on NYDFS activities concerning the second amendment to Part 500.