NY DFS Proposes New Class of Entities and More Detailed Regulations in Second Amendment to Cybersecurity Regulations

On November 9, 2022, the New York Department of Financial Services (DFS) published its proposed second amendment to its cybersecurity regulations (23 NY CRR Part 500). This proposal follows a July 29 pre-proposal and comment period. The amendment is available for a sixty-day comment period – until January 9, 2023 – after which the agency may adopt final regulations or issue a further revised version.

The proposal shows that DFS seeks to substantially revise the regulations and add numerous new, stringent, and more detailed obligations.  If the final amended regulations look anything like the proposal, DFS will remain at the forefront of cybersecurity regulation, amid proliferating and often concurrent cybersecurity regulations at the state and federal level.  The amendments would heighten management involvement in certification; prescribe additional technologies and granular policies across a covered entity’s program; increase audit and testing requirements; and notably expand breach notification requirements. The amendments also propose additional regulations for larger entities – formally classified as “Class A.”

One other possible change merits particular attention.  The DFS proposes more explicit criteria for the calculation of penalties.  While the increase in transparency will no doubt be welcome, the draft creates several multipliers that could have a profound impact on licensed entities and the regulatory balance.  These include a multiplier for every 24 hours of noncompliance of any of the voluminous and detailed requirements, among other grounds for additional charge counts, that could make for disproportionate and potentially absurd fines even for technical peccadillos in which there is no consumer harm (although the draft provides for some consideration of the consumer impact).

While an exhaustive list of the changes is beyond the scope of this post, some of the most significant proposed revisions are highlighted below.

  1. New Class of Entities:
    1. Large covered entities (“Class A”) would be required to employ additional standards, including an annual external audit; an endpoint detection and response solution; a centralized logging solution; and external risk assessments conducted every three years.
    2. Class A companies must have at least $20 million in gross annual revenue in each of the last two fiscal years from the business operations of the covered entity and its affiliates in New York. They must also have over 2,000 employees and over $1 billion in gross annual revenue each averaged over the last two fiscal years from all business operations of the covered entity and its affiliates.
  2. Additional Defined Terms:
    1. There would be new, or expanded, definitions for independent audit; risk assessment; and privileged accounts.
    2. The requirements for Multi-Factor Authentication (MFA) would be refined, with an exception for service accounts.
    3. Defining a “senior governing body” as either the Board of Directors, a committee thereof, or an equivalent governing body.
  3. Governance Changes:
    1. Covered entities’ cybersecurity policies would need to be approved annually by the senior governing body. If a senior governing body does not exist, the senior officer responsible for the cybersecurity program must approve the written cybersecurity policy annually.
    2. Entities must then develop and implement documented procedures based on the approved, written policies. The CISO must also have the authority to direct resources to implement the cybersecurity program.
    3. Rather than the current once per year reporting requirement, the CISO would be required to “timely” report “material cybersecurity issues” including updates to the risk assessment or “major” cyber events.
    4. “Material gaps” identified through independent risk assessments (conducted every three years) as well as vulnerability assessments and system scans would need to be reported to the senior governing body.
    5. The board would be required to have or be advised by experts such that it can exercise effective oversight of cyber risk.
    6. The board would be required to have a committee or subcommittee assigned responsibility for cybersecurity.
  4. There would be two alternative filings: certification of compliance, or acknowledgement of non-full compliance.
    1. However, filing would require detailed disclosures if a licensed entity must certify outside of full compliance.
    2. Companies would be required to share plans for material improvements with the Department.
    3. Even further detailed documentation will likely need to be prepared on all aspects of the cyber program status to support certification each year.
    4. The annual certification would need to be signed by the CISO (or the senior officer responsible for the cybersecurity program) and the highest-ranking executive (i.e. CEO).
  5. Changes to Cybersecurity Policy:
    1. Cybersecurity policies would need to be revised annually. Currently they must only be reviewed periodically.
    2. Policies would need to be implemented in accordance with (separate) documented procedures.
    3. Entities would need to have an asset inventory policy, and such policy should also expressly address not only device management but end of life management.
    4. Cyber policies would need to express address vulnerability and patch management.
    5. Access control policies would need to explicitly address remote access.
    6. Written encryption policies would be required to meet industry standards and be reviewed by the CISO.
    7. All employees would need at least annual training on cyber awareness, with special emphasis on social engineering.
  6. Changes to Technology Requirements:
    1. All covered entities would need to implement:
      • Email monitoring and filtering; and
      • MFA for any remote access to the entity’s information systems as well as third party applications.
    2. Class A companies would need to implement:
      • Endpoint Detection and Response (EDR) solution that monitors anomalous activity and lateral movement;
      • A Security Information and Event Management (SIEM) system;
      • An automated method of blocking commonly used passwords; and
      • A privileged access management solution.
  7. Changes to Testing and Risk Assessments:
    1. Penetration tests would need to be conducted at least annually by a qualified independent party. Tests must be from both inside and outside the information system.
    2. Instead of vulnerability assessments, entities would be required to conduct automated scans of information systems to discover, analyze, and report any vulnerabilities. Vulnerabilities must be remediated in a timely fashion based on the risk they pose. Any material issues must be reported to senior management and the senior governing body.
    3. Class A companies would need to use an external expert to conduct their risk assessment once every three years.
  8. Expanded requirements for disaster recovery and business continuity planning, technologies and testing.
    1. These plans must be designed to ensure availability and functionality of the entity’s services and protect personnel, assets, and nonpublic information in the event of an emergency or disruption.
    2. They must, at a minimum:
      • Identify documents, data, facilities, infrastructure, personnel, and competencies essential to the business;
      • Identify supervisory personnel responsible for implementing each aspect of the BCDR plan;
      • Include a communications plan, including specific persons listed in the reg (regulators, board, counterparties, employees, etc.);
      • Include maintenance procedures for back-up facilities, systems, etc.;
      • Include procedures for the back-up of essential data; and
      • Identify third parties necessary to continued operations.
  9. Expanded requirements for access privileges and password requirements.
    1. User access privileges would be reviewed annually. Entities would need to limit user access privileges to nonpublic information to those necessary for the user’s job.
    2. Entities would need to limit the number of privileged accounts and their access to only those necessary to perform the user’s job.
    3. Entities must implement a written password policy that meets industry standards.
  10. Changes to Breach Notification Requirements:
    1. Notice would be required when an unauthorized user has gained access to a privileged account (regardless of whether that takeover resulted in a compromise of important data or materially impacted systems).
    2. Incidents at third-party service providers that affect the entity must be notified to DFS no later than 72 hours after the entity becomes aware of the incident.
    3. Notice would be required when ransomware is deployed within a material part of the entity’s information system.
      • Notice of a ransomware payments would need to filed within 24 hours.
      • For ransomware, entities would also have to supplement the filing within 30 days with detailed explanation of whether and why they paid a ransom, what alternatives they considered, and what diligence was conducted to determine a payment did not violate sanctions law.

Most of the proposal does not go into effect until 180 days after publication in the New York Register, which itself can occur only after the aforementioned 60 day comment period. The earliest publication could occur is January 9, 2023. However, certain parts of the amendment have different effective dates. The list of effective dates is listed below.

NY DFS Proposed Second Amendment Effective Dates
Immediately on the publication date
  • 500.19(e) – (h): exemptions for individual insurance brokers
  • 500.20: enforcement factors
  • 500.21: second amendment effective on publication
  • 500.22: effective dates
  • 500.24: exemptions from electronic filing and submission requirements
30 days from publication
  • 500.17: new notice requirements
180 days from publication
  • Any other part of the amendment
12 months from publication
  • 500.16(e): backups must be protected
  • 500.19(a): exemptions for smaller entities
18 months from publication
  • 500.5(a)(2): automated scans of information systems to discover, analyze, and report vulnerabilities
  • 500.7(b): written password policy, privileged access management solution, and automated method for blocking common passwords
  • 500.12(b): MFA for remote access
  • 500.14(a)(2): new controls against malicious code
  • 500.14(b): EDR and logging requirements for Class A companies
2 years from publication
  • 500.13(a): asset inventory

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.