Hogan Lovells 2024 Election Impact and Congressional Outlook Report
On November 9, 2022, the New York Department of Financial Services (NYDFS) published proposed amendments to significantly expand Cybersecurity Requirements for Financial Services Companies under 23 NYCRR 500 (the “NYDFS Cybersecurity Regulation”), in light of industry feedback received following NYDFS’s July 29, 2022 issuance of pre-proposed amendments to the same. These developments are happening amid a flurry of other, largely uncoordinated U.S. government initiatives to further regulate cybersecurity practices, including by the Securities and Exchange Commission (SEC) and the Cybersecurity and Infrastructure Security Agency (CISA), pursuant to the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA).
The proposed amendments would create a new subset of covered entity (“Class A companies”) subject to additional requirements and would impose new cybersecurity obligations around governance, incident reporting, business continuity and disaster recovery plans, as well as additional technical and organizational requirements for all covered entities. Subject to certain exceptions, covered entities would have 180 days to come into compliance with the amended NYDFS Cybersecurity Regulation once finalized. The proposed amendments are open for comments until Monday, January 9, 2023.
The proposed amendments would introduce the new concept of “Class A companies,” defined as covered entities with at least $20 million in gross annual revenue in each of the previous two fiscal years from business operations (including of the covered entity and its affiliates) in New York, and either: (1) over 2,000 employees averaged over the last two fiscal years (including those of both the covered entity and its affiliates no matter where located); or (2) over $1 billion in gross annual revenue in each of the last two fiscal years from all business operations of the covered entity and its affiliates. Class A companies would be subject to cybersecurity requirements beyond those generally imposed on covered entities, including:
Independent Audits: Class A companies would be required to undergo independent audits of their cybersecurity programs at least annually. To qualify as “independent,” audits must be conducted by external auditors “free to make decisions not influenced by” the covered entity. The requirement that an “independent audit” be conducted by an external auditor is a significant shift from the pre-proposed amendments, which would have permitted an “independent audit” to be conducted by internal, as well as external, auditors. Currently, such audits are not required under the NYDFS Cybersecurity Regulation.
Risk Assessments: In addition to the new requirement that all covered entities (including Class A companies) review and update their risk assessment at least annually and whenever a change in the business or technology causes a material change to the covered entity’s cyber risk, Class A companies would be required to use external experts to conduct their risk assessment at least once every three years. Currently, covered entities are only required to conduct risk assessments “periodically” and “as reasonably necessary to address changes to the covered entity’s information systems, nonpublic information or business operations.”
Access Privileges & Management: Class A companies would be required to monitor privileged access activity and implement: (1) a privileged access management solution; and (2) an automated method for blocking commonly used passwords for all accounts. However, to the extent that a covered entity determines that blocking commonly used passwords is infeasible, the covered entity’s CISO may instead approve in writing (at least annually) the use of reasonably equivalent or more secure compensating controls. These requirements are more prescriptive than the access controls that are currently required.
Monitoring: Class A companies would be required to implement an endpoint detection and response (EDR) solution designed to identify anomalous activity (including, in particular, lateral movement by threat actors across the entity’s network environment), as well as a solution that centralizes logging and security event alerting, unless the entity’s CISO approves reasonably equivalent compensating controls in writing. These requirements are more prescriptive than the monitoring measures in the current NYDFS Cybersecurity Regulation.
In addition to the new obligations for Class A companies, the proposed amendments would impose a number of new cybersecurity requirements on all NYDFS-regulated entities, including any entity operating under or required to operate under a license (including a BitLicense), registration, charter, permit, accreditation, or similar authorization under the New York Banking Law, Insurance Law, or Financial Services Law. Most notably, covered entities, including Class A companies, should consider the following key new requirements under the proposed amendments:
Notice to the Superintendent: The proposed amendments would include new notice obligations around unauthorized access, ransomware, and extortion payments. Currently, the NYDFS Cybersecurity Regulation requires notice to the NYDFS Superintendent no later than 72 hours from a determination of a “cybersecurity event” that either (i) requires notice to be provided to any government body, self-regulatory agency or other supervisory body; or (ii) has a reasonable likelihood of materially harming any material part of the normal operation(s) of the covered entity. The proposed amendments would modify the requirement to notify the NYDFS Superintendent no later than 72 hours from a determination that a “cybersecurity event” has occurred that (i) requires notice to be provided to any government body, self-regulatory agency or other supervisory body; (ii) has a reasonable likelihood of materially harming, disrupting or degrading any material part of the normal operation(s) of the covered entity; (iii) involves instances where an unauthorized user has gained access to a privileged account; or (iv) resulted in the deployment of ransomware within a material part of the covered entity’s information system. (Note that the proposed amendments continue to not define “materiality.”) Covered entities would similarly be required to notify the NYDFS Superintendent within 72 hours of becoming aware of a “cybersecurity event” at a third-party service provider, if the event affects the covered entity.
The proposed amendments would further introduce new requirements that covered entities notify the NYDFS Superintendent within 24 hours of an extortion payment and provide a written description of reasons for payment, including diligence conducted to comply with OFAC and other relevant requirements prior to payment, within 30 days of making an extortion payment.
These requirements will add to the various other notification obligations to which covered entities may be subject, including: (i) obligations under state data breach notification laws; (ii) the requirement for certain banking organizations to notify their primary federal regulator within 36 hours of the determination of a notifiable incident; (iii) the requirement under the proposed SEC rule that public companies disclose “material” (as defined under securities laws) cybersecurity incidents on a Form 8-k within four business days of a public company’s determination that a “material” cybersecurity incident has occurred; (iv) requirements for insurance companies to notify state insurance regulators regarding cybersecurity events generally within a few days of a determination that a cybersecurity event occurred; and (v) the additional cyber incident and ransom payment reporting requirements that will be issued by the Cybersecurity and Infrastructure Security Agency (CISA) pursuant to the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA).
Multi-factor Authentication: The proposed amendments would add a new requirement that covered entities implement multi-factor authentication (MFA) for all “privileged accounts” (as defined under the proposed amendments). Additionally, while the NYDFS Cybersecurity Regulation currently requires that any reasonably equivalent or more secure compensating controls be approved by the covered entity’s CISO in writing, the proposed amendments would require that the CISO review such approvals at least annually.
Board-Level Expectations: A covered entity’s board of directors or “an appropriate committee thereof” must exercise oversight of, and “provide direction” to management on, the covered entity’s cybersecurity risk management. The board or committee must have sufficient expertise and knowledge (or be advised by persons with sufficient expertise and knowledge) to exercise effective oversight of cybersecurity risk management. On top of the current requirement that the CISO annually report “material cybersecurity issues” to the board, the CISO would be required to report remediation plans for material inadequacies identified in the company’s cybersecurity program. Notably, NYDFS’s increased focus on cybersecurity governance and board of director expertise resembles the focus on these areas in the Security and Exchange Commission’s (SEC) proposed cybersecurity rule.
Business Continuity and Disaster Recovery Plans: While the current NYDFS Cybersecurity Regulation requires that covered entities maintain cybersecurity policies and procedures that “address” business continuity and disaster recovery (BCDR) planning “to the extent applicable to the covered entity’s operations,” the proposed amendments are more prescriptive with respect to BCDR. Covered entities would be required to implement a BCDR plan that is reasonably designed to ensure the availability and functionality of the covered entity’s services and protect the covered entity’s personnel, assets, and nonpublic information in the event of an emergency or disruption to its normal business activities. A key component here is the requirement that a covered entity include procedures for data back-ups in offsite locations to ensure that relevant personnel are able to “timely” restore systems in the event of a cybersecurity event. (The proposed amendments go further than the proposed SEC rule, which addresses BCDR planning by requiring that public companies only disclose whether they have “business continuity, contingency, and recovery plans in the event of a cybersecurity incident”—not that covered entities actually have a BCDR plan in place)
Vulnerability Management: Covered entities would need to conduct automated scans of information systems and manual reviews of systems not covered by such scans. The proposed amendments would also replace the current requirement for covered entities to conduct bi-annual vulnerability assessments with a requirement to have a monitoring process in place to ensure that the covered entity is promptly informed of the emergence of new security vulnerabilities. Covered entities would be required to “timely” remediate vulnerabilities, prioritizing vulnerabilities based on the risk they pose to the covered entity.
Asset Inventories: Covered entities would be required to implement written policies and procedures to maintain accurate and updated asset inventories. At minimum, these policies and procedures will need to ensure that asset inventories track key information (e.g., asset owner, location, classification or sensitivity, support expiration date, and recovery time requirements).
Enhanced Employee Training Requirements: Covered entities would be required to expand employee training to include social engineering exercises. Additionally, key employees supporting required incident response and BCDR plans would need to be trained on their roles and responsibilities.
NYDFS-regulated entities should be aware that the proposed amendments make clear that a covered entity that commits a single act prohibited by the NYDFS Cybersecurity Regulation, or that fails to comply with any obligation (including failure to comply for any 24-hour period), would be viewed as in violation of the NYDFS Cybersecurity Regulation and may be subject to enforcement by NYDFS. The proposed amendments come amid an overall emphasis by NYDFS over the past few years on a number of cybersecurity expectations, which have included detailed industry guidance on BCDR, ransomware, and other topics as well as a recent Cybersecurity & Information Technology Baseline Risk Questionnaire (CIBRiQ) issued by NYDFS. Fines in the millions of dollars have become more prevalent in recent years for violations of the NYDFS Cybersecurity Regulation.
Covered entities may wish to consider now the impact of the proposed amendments on their business, and whether there are elements of the proposed amendments for which comments to NYDFS may be warranted (whether directly or through industry groups).
If the proposed amendments are adopted, NYDFS-regulated entities are well advised to take a number of steps to prepare for compliance, including (but not limited to):
Determine whether the entity is a Class A company. Covered entities will want to carefully assess whether they may be subject to the additional compliance obligations imposed on Class A companies.
Update incident response plans. Covered entities may wish to update their existing incident response plans to account for the proposed amendments’ new notification obligations related to ransomware, unauthorized access to privileged accounts, and third-party security events, as well as the requirements to report and justify extortion payments.
Map the entity’s data. To facilitate compliance with the NYDFS Cybersecurity Regulation’s new requirement that covered entities maintain written policies and procedures to ensure complete and accurate asset inventories, covered entities will want to ensure that they have a full understanding of their information flows and data assets.
Evaluate existing privileged accounts. The proposed amendments would impose various new requirements related to privileged accounts, which is defined broadly to include any user or service account that can be used to “affect a material change” to the covered entity’s technical or business operations. Identifying which accounts fall into this category will be an important part of confirming that a covered entity meets its new compliance obligations.
Consider conducting tabletop exercises. Tabletop exercises conducted under the guidance of experienced cybersecurity and resiliency professionals may help to ensure that employees supporting a covered entity’s incident response and BCDR plans are trained on their roles and responsibilities and well-positioned to mitigate harm in the event of an incident or outage.
Authored by Paul Otto, Peter M. Marta, Elizabeth Boison, Jasmeet K. Ahuja, Roshni Patel, Alaa Salaheldin, and A.J. Santiago.