PART 1: KEY HEADLINES
On June 28, 2023, the New York Department of Financial Services (“NYDFS”) published an updated version of its proposed Second Amendment (“2023 Proposal”) to the cybersecurity regulation codified at 23 NYCRR 500(“NYDFS CR”). The 2023 Proposal follows receipt of industry group and other stakeholder comments to the first version of the proposed amendment dated November 9, 2022 (“2022 Proposal”). The 2023 Proposal was published for public comment for a 45 day period that expired on August 14, 2023.
If adopted, the 2023 Proposal will be applicable to all “covered entities”. The 2023 Proposal does not modify the current definition of “covered entities” but clarifies that the NYDFS CR governs a covered entity regardless of whether it is also regulated by other government agencies (Sec 500.1(e)). Companies that are not subject to the NYDFS CR may also benefit from reviewing the 2023 Proposal to understand potential future trends, as the NYDFS CR appears to have a history of influencing the rule-making of other state and federal regulators.
Covered entities will be required to comply with most of the amended requirements within 180 days following adoption of the 2023 Proposal. However, there are some exceptions, for example, covered entities will need to comply with the 2023 Proposal’s cybersecurity event notification and annual compliance certification requirements within 30 days of adoption (Sec 500.24).
The 2023 Proposal
- Significantly expands the cybersecurity requirements for covered entities, particularly for larger companies regulated by the NYDFS which are defined as “Class A Companies” .
- Increases governance requirements, such as, requisite board approval for cybersecurity policies.
- Expands cyber incident notice and compliance certification requirements, including, notice of extortion payments.
- Enhances the requirements for maintaining a complete and accurate asset inventory (Sec 500.13).
PART 2: SUMMARY OF NEW REQUIREMENTS
Set out below is a summary of key requirements that will be introduced if the 2023 Proposal is adopted.
- EXPANDED CYBERSECURITY REQUIREMENTS
For Class A Companies only
- Conduct an “Independent Audit” of their cybersecurity programs at least annually.
- Monitor privileged account access activity and implement a privileged access management solution as well as an automated method of blocking commonly used passwords for all accounts on information systems owned or controlled by the Class A Company and wherever feasible for all other accounts (Sec 500.7(c)). To the extent such blocking is infeasible, a covered entity’s CISO may approve in writing, at least annually, the use of a reasonably equivalent, or more secure, compensating control. The foregoing requirements are in addition to controls over privileged accounts that covered entities would be required to implement, including, the requirement to periodically, and at least annually, review all user access privileges and remove or disable accounts and access rights that are no longer necessary (See Sec 500.7(a)).
- Implement endpoint detection, anomalous activity monitoring, including, lateral movement and centralized logging and security event alerting (unless the CISO has determined in writing that a reasonably equivalent or more secure compensating control may be used) (Sec 500.14(b)).
For all Covered Entities (including Class A Companies)
- Make available to NYDFS all documents and other information pertaining to any parts of a cybersecurity program maintained by an affiliate and adopted by the covered entity (Sec 500.2(e)).
- Conduct, at a minimum, penetration testing from both inside and outside the covered entity’s information systems’ boundaries at least annually by a qualified internal or external party, as well as, vulnerability scans and manual reviews of systems where necessary at a frequency based on the results of the risk assessment(s)  and promptly after any material system changes (Sec 500.5(a)).
- Implement a monitoring process for promptly identifying vulnerabilities and ensure that vulnerabilities are remediated on a risk-focused basis and that any material issues identified through testing are remediated in a timely manner based on the risks they pose (Sec 500.5(b) and (c)).
- Implement secure password rules that meet industry standards (Sec 500.7(b)).
- Comply with a host of new access control obligations consistent with the principle of least privilege and implement the restriction of protocols that permit remote control of devices (Sec 500.7(a)).
- Update risk assessments at least annually and conduct an impact assessment whenever a change in the business or technology causes a material change to cyber risk (Sec 500.9(c)).
- Use multi-factor authentication for any individual accessing the information systems, unless: (1) the covered entity qualifies for a small company limited exemption (Sec 500.19(a)) in which case multi-factor authentication is required only for remote access and privileged accounts (Sec 500.12(a));or(2) the covered entity’s CISO approves reasonably equivalent or more secure compensating controls, which controls must be reviewed periodically and at least annually (Sec 500.12(b)).
- Monitor and filter internet traffic and emails to block malicious content (Sec 500 14(a)(2)).
- Provide periodic, but at least annual, cybersecurity awareness training, exercises, and simulations on cybersecurity and social engineering (such as phishing) (Sec 500.14(a)(3)).
- Maintain written encryption policies that meet industry standards and document approval of compensating controls for the non-use of encryption in writing (Sec 500.15).
- Include business continuity and disaster recovery (“BCDR”) planning for cybersecurity events in the covered entity’s incident response plan, including, preparation of a root cause analysis that describes how and why the event occurred, what business impact it had, and what will be done to prevent reoccurrence (Sec 500.16).
- The covered entity must distribute or make current plans accessible to relevant employees, and periodically, but at least annually: (1) subject employees to training and periodic testing; and (2) test its incident response and BCDR plans (Sec 500.16(b)-(d)).
- Maintain backups necessary to restore material operations and annually test its ability to restore its “critical data and information systems” from backups (Sec 500.16 (e)).
- The senior governing body of a covered entity to approve the covered entity’s cybersecurity policy at least annually (Sec 500.3(a)).
- The senior governing body to maintain effective oversight of the covered entity’s cybersecurity risk management, have sufficient understanding of cybersecurity-related matters to exercise such oversight, which may include the use of advisors and requiring the covered entity’s executive management or its designees to develop, implement and maintain the covered entity’s cybersecurity program (Sec 500.4(d)).
- A covered entity’s CISO to report on the covered entity’s cybersecurity program to the senior governing body at least annually and, in a timely manner, report to such senior governing body any “material cybersecurity issues”, e.g. significant updates to the covered entity’s risk assessment or significant cybersecurity events (Sec 500.3(c)).
- A covered entity’s CISO to review application security materials “at least annually,” instead of “periodically” (Sec 500.8(b)).
- A covered entity to have procedures to implement its cybersecurity policy, including, policies and procedures that address data retention, end of life management, remote access, security awareness and training, systems and application security, and vulnerability management (Sec 500.3).
- The covered entities’ requirement to notify NYDFS of a cybersecurity event within 72 hours upon becoming aware of a cybersecurity event will be expanded to expressly add three categories of cybersecurity events: (i) events where an unauthorized user has gained access to a privileged account; (ii) events that resulted in the deployment of ransomware within a material part of the covered entity’s information system; or (iii) events at its affiliates or a third-party service providers that affect the covered entity (Sec 500.17(a)(1)).
- Covered entity must provide, update and supplement any information that NYDFS may request in relation to the investigation of a cybersecurity event (Sec 500.17(a)(2)).
- A covered entity must notify NYDFS of an extortion payment made in connection with a cybersecurity event within 24 hours of making the extortion payment and provide a follow up notice to NYDFS within 30 days of the extortion payment. The follow up notice must set out the reasons payment was necessary, a description of alternatives to payment considered, all diligence performed to find alternatives to payment, and all diligence performed to ensure compliance with applicable rules and regulations, including, those of the Office of Foreign Assets Control (Sec 500.17(c)).
- In lieu of a existing requirement for certification of full compliance in the form of Appendix A of the NYDFS CR (“Prior Certifications”), covered entities must now certify material compliance throughout the prior year based upon data and documentation sufficient to accurately demonstrate such compliance, e.g. reports or sub-certification (Sec 500.17(b)(i)).
- In the event a covered entity cannot certify to material compliance throughout the prior year, the covered entity must provide a written acknowledgement that the covered entity has not fully complied with its requirements and a description of the nature of such non-compliance (Sec 500.17(b)(1)(ii)).
- Unlike the Prior Certifications, neither the certificate of material compliance nor written acknowledgement of noncompliance needs to include supporting documentation and data but all such supporting documentation and data must continue to be maintained and be made available to NYDFS for five years for its examination or inspection.
- The covered entity’s highest-ranking executive and CISO (or other person responsible for cybersecurity) must sign the compliance certification (Sec 500.17(b)(2)).
- All covered entities must maintain a complete and accurate asset inventory of technology resources that specifies key information for each asset. The asset inventory must be updated, in accordance with the covered entity’s written policies and procedures (Sec 500.13(a)).
- The number of companies that qualify for small-company exemptions from some cybersecurity requirements increases as a result of the 2023 Proposal raising the exemption’s personnel threshold from 10 to 20 and its total assets threshold from $10 million to $15 million (Sec 500.19(a)(1) and (3)).
- Wholly owned subsidiaries of a covered entity are now included with others – the covered entity’s agents, employees, representatives, and designees – as being exempt from the need to have a cybersecurity program to the extent that they follow the cybersecurity program of the applicable covered entity (Sec 500.19(b)).
- The list of fully exempt licensees from the regulation expands to include reciprocal jurisdiction reinsurers, inactive individual insurance agents and brokers, and inactive individual mortgage loan originators.
- Any covered entity that ceases to be eligible for an exemption is required to come into compliance within 180 days (Sec 500.19€).
- A covered entity may request an exemption from having to make an electronic filing or a submission as part of compliance with a requirement (Sec 500.24).
- The NYDFS will consider several factors when assessing a penalty for a violation of the cybersecurity requirements, including, among many others, the good faith of the entity, its history of prior violations, the gravity of the violations and the extent of harm to consumers (Sec 500.20).
- A single act, or failure to act, constitutes a violation of the cybersecurity requirements, including, a failure to (1) prevent unauthorized access to an individual’s or an entity’s nonpublic information or (2) materially comply for any 24-hour period with any requirement (Sec 500.20).
PART 3: NEXT STEPS
ACTION STEPS: New cybersecurity requirements of the 2023 Proposal may require modifications to existing systems (e.g., attributes in asset inventories), policies (e.g. cybersecurity policy) or management/governance processes.
 Covered entities are any person operating under, or required to operate under, a license, registration, charter, certificate, permit, accreditation or similar authorization under the New York Banking Law, Insurance Law or Financial Services Law (Sec 500.1 (e)).
 Class A Companies are covered entities with at least $20 million in gross annual revenue in each of the last two fiscal years from operations in New York (including New York revenue of affiliates) that also have i) more than 2,000 employees over the last two fiscal years (including employees of affiliates) or ii) more than $1 billion in gross annual revenue in each of the last two fiscal years (including revenue of affiliates), with subclause i) and ii) having no restriction by geography. When calculating the number of employees and gross annual revenue, affiliates shall include only those that share information systems, cybersecurity resources or all or any part of a cybersecurity program with the covered entity (Sec 500.1(d)).
 Independent Audit is an audit conducted by internal or external auditors free to make their decisions, not influenced by the covered entity being audited or by its owners, managers, and employees (Sec 500.1(g)).
 Privileged account means any authorized user account or service account that can be used to perform security-relevant functions that ordinary users are not authorized to perform, including but not limited to the ability to add, change or remove other accounts, or make configuration changes to information systems to make them more or less secure (Sec 500.1(m)).
 Chief Information Security Officer or CISO means a qualified individual responsible for overseeing and implementing the covered entity’s cybersecurity program and enforcing its cybersecurity policy, who has adequate authority to ensure cybersecurity risks are appropriately managed, including, the ability to direct sufficient resources to implement and maintain an effective cybersecurity program (Sec 500.1(c)). The CISO may be employed by the covered entity, one of its affiliates or a third party service provider so long as the third party service provider or affiliate maintains a cybersecurity program that protects the covered entity (Sec 500.4(a)).
 Risk assessment means the process of identifying, estimating and prioritizing cybersecurity risks to organizational operations (including mission, functions, image and reputation), organizational assets, individuals, customers, consumers, other organizations and critical infrastructure resulting from the operation of an information system. Risk assessments incorporate threat and vulnerability analyses, and consider mitigations provided by security controls planned or in place (Sec 500.1(o)).
 Senior governing body could be a covered entity’s board of directors (or committee thereof), or the company’s senior officer(s) responsible for the covered entity’s cybersecurity program if no board exists. In the event a covered entity adopts a cybersecurity program or part of a cybersecurity program from an affiliate, the senior governing body of the covered entity may be that of the affiliate (Sec 500.1(p)).