NYDFS FINALIZES SIGNIFICANT AMENDMENT TO PART 500 CYBERSECURITY REGULATION

On November 1, 2023, the New York State Department of Financial Services (“NYDFS”) issued its Second Amendment (the “Amendment”) to its Cybersecurity Requirements for Financial Services Companies adopted in 2017, codified in Section 500 of 23 NYCRR 500^[1] (the “Cybersecurity Requirements;” the Cybersecurity Requirements as amended by the Amendment, the “Amended Cybersecurity Requirements”). The Amendment imposes significant updates to NYDFS’s Cybersecurity Requirements in a statewide effort to bolster safeguards for businesses and consumers by requiring the financial services industry to institute stronger standards and controls to secure sensitive data in order to address the evolving and increasing risks of cyberattacks on holders of sensitive data. Most notably, the Amendment consists of an expansion of obligations on entities regulated by NYDFS to report cybersecurity incidents and enhance their consumer data protection and cybersecurity infrastructure.^[2]

Regulated entities are generally required to comply with the new requirements imposed by the Amendment by April 29, 2024,^[3] although certain provisions allow a longer time frame for compliance.^[4] However, the new requirements regarding reporting certain cybersecurity incidents become effective on December 1, 2023.^[5]

Key Updates to the Cybersecurity Requirements

Below is a description of some of the important changes introduced by the Amendment.

Introducing a new category of “Class A” companies that are subject to more stringent compliance requirements

• A Class A company consists of a Covered Entity^[6] with at least $20 million in gross annual revenue in each of the last two fiscal years from all of its business operations and that either (a) has employed over 2,000 employees averaged over the last two fiscal years or (b) has over $1 billion in gross annual revenue in each of the last two fiscal years from all of its business operations.^[7]

• In addition to all requirements applicable to Covered Entities under the Amendment generally, a Class A company is further required to:

• Design and conduct independent audits of its cybersecurity program based on its risk assessment^[8];

• Monitor privileged access activity by implementing certain access controls, such as a privileged access management solution and imposing password complexity requirements^[9]; and

• Implement an endpoint detection and response solution to monitor anomalous activity, and use a centralized solution for system logging and security event alerts.^[10]

Designation of a “senior governing body” to oversee cybersecurity

• Although Covered Entities were already required to ensure that the board or its senior officer(s) oversaw their cybersecurity compliance, the Amendment adopts a new term, “senior governing body,” for the person(s) responsible for exercising that oversight.^[11]

• It also delineated the senior governing body’s responsibilities, which include:

• Having sufficient understanding of cybersecurity-related matters to exercise the required oversight, which may include the use of advisors;

• Requiring management to develop, implement and maintain the Covered Entity’s cybersecurity program;

• Regularly receiving and reviewing management reports about cybersecurity matters;

• Approving, at least annually, the entity’s written cybersecurity policies; and

• Confirming that management has allocated sufficient resources to implement and maintain an effective cybersecurity program, in light of the risks to the Covered Entity.^[12]

Increased reporting requirements for Chief Information Security Officers

• The Chief Information Security Officer (“CISO”) of a Covered Entity is now required to timely report to the senior governing body or senior officer(s) on material cybersecurity issues, such as significant cybersecurity events and significant changes to the Covered Entity’s cybersecurity program.^[13]

• The CISO is required to sign, along with the highest-ranking executive of the Covered Entity, an annual certification that the Covered Entity has materially complied with the Amended Cybersecurity Requirements during the prior calendar year.^[14] Alternatively, and as appropriate, the CISO and the highest-ranking executive must sign a written acknowledgement that the entity did not materially comply with the requirements, and provide a description of the nature of the non-compliance.

Expanded requirements for cybersecurity defense and vulnerability management mechanisms

• The existing requirement for penetration testing now includes assessments “from both inside and outside the information systems’ boundaries by a qualified internal or external independent party at least annually.”^[15]

• There is a new requirement to conduct automated scans of information systems and a manual review of systems not covered by such scans to discover, analyze and report vulnerabilities at a frequency to be determined in the entity’s risk assessment.^[16]

• There is a new requirement to have a monitoring process in place to be promptly informed of new security vulnerabilities and to timely remediate such vulnerabilities giving priority based on the risk they pose to the Covered Entity.^[17]

• There are various new limitations on user access privileges, including: limiting user access to nonpublic information and privileged accounts to only those necessary to perform the user’s job, annually reviewing all user access privileges, terminating accounts when no longer necessary, promptly terminating access following user departures, and disabling or securely configuring all protocols that permit remote control of devices.^[18]

• There is a new requirement to implement a written password policy that meets industry standards, to the extent passwords are used for authentication.^[19]

• There is an updated requirement to using multi-factor authentication for any individual accessing any information systems of a Covered Entity, subject to certain limited exemptions.^[20]

Additional requirements to implement robust written policies and procedures to produce and maintain asset inventory of information systems^[21]

• At a minimum, such written policies and procedures must include: (i) a method to track key information for each asset (such as owner, location, classification or sensitivity, support expiration date and recovery time objectives) and (ii) the frequency required to update and validate the asset inventory.

New requirements to implement cybersecurity plans containing proactive measures to investigate and mitigate cybersecurity events and to ensure operational resilience

• A Covered Entity is required to establish an incident response plan that addresses, at a minimum, its internal processes for responding to a cybersecurity event, recovery from backups, and preparation of root cause analysis that describes how and why the event occurred, its business impact and measures to prevent reoccurrence.^[22]

• A Covered Entity is also required to establish a business continuity and disaster recovery plan that ensures the availability and functionality of its information systems and material services and protects its personnel, assets and nonpublic information in the event of a cybersecurity-related disruption to its normal business activities. The new requirements set forth specific elements that should be addressed in this plan, including, among other items, identifying the documents, data, infrastructure and personnel that are essential to the Covered Entity’s continued operations, setting out a communication plan with essential persons, setting out procedures for backing up essential information and timely recovery of critical data, and identifying necessary third parties to the Covered Entity’s continued operations.^[23]

• A Covered Entity is required to train, and annually test, employees on such plans.^[24]

Enhanced reporting obligations, with an expanded scope of events to be reported and scope of information to be included in the reports

• The existing Cybersecurity Requirements require a Covered Entity to report a cybersecurity incident to the NYDFS Superintendent within 72 hours after determining a cybersecurity incident has occurred. The Amendment expands on this reporting obligation by clarifying that (i) the reporting obligation is triggered if the cybersecurity incident has occurred at the Covered Entity, its affiliates, or at a third-party service provider, (ii) the report must be submitted electronically (in the form on the NYDFS’s website), and (iii) a Covered Entity is required to provide to the NYDFS Superintendent any information requested regarding such incidents. The Amendment also clarifies that Covered Entities must update the NYDFS Superintendent if there are material changes to the information it has reported, or if information they are required to report subsequently becomes available.^[25]

• A Covered Entity is also required to notify the NYDFS of extortion payments made in connection with a cybersecurity event within 24 hours of the payment, and provide a written description of the reasons the payment was necessary within 30 days of the payment.^[26]

Reinforced Enforcement Authority

• The NYDFS clarified that “[t]he commission of a single act prohibited by this Part or the failure to act to satisfy an obligation required by this Part shall constitute a violation hereof.”^[27]

• Such acts or failures include, among others, “the failure to secure or prevent unauthorized access to an individual’s or an entity’s nonpublic information due to noncompliance with any section of this Part.”^[28]

• In response to certain public comments from industry participants and other interested parties (the “Public Comments”), the NYDFS clarified that such determination is not subject to a materiality threshold. Rather, a Covered Entity that has failed to secure or prevent unauthorized access to nonpublic information because it is not in compliance with the Amended Cybersecurity Requirements is in violation of the Amended Cybersecurity Requirements.

• If the impact of the violation is immaterial, that would be considered when assessing penalties and how a potential enforcement action might be viewed by the NYDFS.^[29]

• A violation also arises from “the material failure to comply for any 24-hour period with any section of [the Amended Cybersecurity Requirements].”^[30] The NYDFS clarified in response to the Public Comments that such 24-hour period for material compliance does not begin when the Covered Entity becomes aware of such material failure, but rather when the material failure has occurred.^[31]

• In assessing penalties for a violation of the Amended Cybersecurity Requirements, the NYDFS Superintendent will take into account numerous factors, including: the Covered Entity’s cooperation with the Superintendent, the Covered Entity’s good faith, whether the violation resulted from unintentional conduct compared to reckless or deliberate conduct, history of prior violations, the extent of harm to consumers, whether timely disclosures were made to affected consumers, the financial resources, net worth and annual business volume of the Covered Entity and its affiliates, and such other matters as justice and the public interest require.^[32]

Conclusion

The Amendment represents a significant overhaul of the cybersecurity regulatory landscape that carries implications for NYDFS-regulated financial institutions, particularly in light of the NYDFS’s clarified authority to bring enforcement actions for even a single violation of the Amended Cybersecurity Requirements. Covered Entities should assess their cybersecurity infrastructure to ensure compliance with the updated regulations by April 29, 2024 (or in the case of certain reporting obligations, by December 1, 2023). Among other things, Covered Entities should consider whether to increase their investments and corporate budget to design and implement cybersecurity programs that allow for compliance with the new requirements imposed by the Amendment, and enforce and monitor such compliance not only within the Covered Entity, but also among the Covered Entity’s vendors who store or process data on their behalf or who otherwise have access to the Covered Entity’s data or networks. It is critical for financial institutions to review the impacts of the Amendment on their respective institutions as soon as possible in order to take proactive measures to ensure compliance with the Amended Cybersecurity Requirements.