NYDFS Considering Significant Updates to Its Cybersecurity Rule

The New York Department of Financial Services (“NYDFS”) recently released new draft amendments (“Draft Amendments”) to its controversial cybersecurity rule (“Cybersecurity Rule” or “Rule”) that would include significant changes to the Rule, including, for example, a mandatory 24-hour notification for cyber ransom payments, heightened cyber expertise requirements for board members, and new access restrictions to privileged accounts. If proposed and ultimately adopted, the draft amendments would further expand the Cybersecurity Rule’s requirements and, in particular, impose heightened obligations on certain types of larger financial institutions.

Additional NYDFS Notification Obligations for Certain Incidents

The Draft Amendments would create new requirements to notify NYDFS of certain incidents. For example, the Draft Amendments would require notification to NYDFS within 72 hours of any unauthorized access to privileged accounts or deployment of ransomware within a material part of the covered entity’s information systems. In addition, the Draft Amendments would require notification to NYDFS within 24 hours of a covered financial institution making a ransomware payment connected to a cybersecurity event, as well as introduce a requirement to provide NYDFS within 30 days with an “explanation” of why the payment was necessary, whether alternatives were considered, and what sanctions diligence was conducted.

Heightened Risk Assessment Requirements

The Draft Amendments would make meaningful changes to the risk assessment requirements under the Cybersecurity Rule. Under the Rule, a covered entity must conduct a periodic risk assessment of its information systems “sufficient to inform the design of” its cybersecurity program required by the Rule and must update the risk assessment to address various changes, developments, and threats. The Draft Amendments would expand upon the Rule’s definition of a “Risk Assessment” and more clearly articulate that an assessment must, for example, “take into account the specific circumstances of the covered entity.” The Draft Amendments also would clarify that a covered entity’s risk assessment must be updated at least annually or whenever a change in business or technology “causes a material change to the covered entity’s cyber risk.”

Additional Technical Requirements

The Draft Amendments would add a number of new technical requirements to the Rule, including:

• Completion of an asset inventory that tracks information (e.g., owner, location, classification or sensitivity, support expiration date, and recovery time requirements) for each technology asset (e.g., hardware, operating systems, applications, infrastructure devices, APIs, and cloud services), and requirements for updating and validating the asset inventory;
• Heightened access controls for privileged accounts, such as limiting access to a need-to-know basis, implementing multifactor authentication, and securely configuring or disabling protocols that permit remote control of devices;
• Regular phishing training and exercises for all personnel; and
• Monitoring and filtering of emails to block malicious content.

New Governance Obligations

The Draft Amendments would impose a number of new governance obligations, including:

• CISO independence and authority to ensure that cyber risks are appropriately managed.
• Additional CISO reporting obligations to the board of directors to include plans for remediating inadequacies and timely reporting on material cybersecurity issues or major cybersecurity events (which are not defined);
• Expertise and knowledge thresholds for board members (or requirements that they be advised by persons with such expertise and knowledge) such that they can exercise effective oversight of cyber risk;
• Cybersecurity policy approval by the board (not senior management);
• Annual certification of compliance with the Cybersecurity Rule by CEO and CISO, as opposed to a senior officer;
• Required business continuity and disaster recovery (“BCDR”) plans, which would be required to include certain prescribed content, such as identification of essential data, personnel, and infrastructure, a communications plan in the event of a disruption, and procedures for the maintenance of back-up infrastructure;
• Periodic testing of incident response and BCDR plans, and ability to restore systems from backups, including to address ransomware incidents and the ability to recover from backups; and
• Annual review by CISO of the feasibility of encryption and effectiveness of the compensating controls, as well as a requirement to implement a written policy requiring industry-standard encryption to protect nonpublic information held at rest or transmitted over external networks by the covered entity.

New Obligations for Larger (Class A) Companies

The Draft Amendments also would impose additional cybersecurity obligations on a new category of covered entities, “Class A Companies.” Under the Draft Amendments, a “Class A Company” would be a covered entity with:  (1) over 2,000 employees; or (2) over $1 billion in gross annual revenues averaged over the last three years from all of its business operations and those of its affiliates. These Class A Companies would be subject to additional cybersecurity obligations, including:

• Annual independent audits of the company’s cybersecurity program;
• An obligation to conduct weekly vulnerability assessments, including systematic vulnerability scans and reviews of information systems, and documentation and reporting to the board and senior management of material gaps identified by these assessments;
• Password controls, including a vaulting solution for privileged accounts, and an automated method for blocking commonly used passwords;
• An obligation to monitor anomalous activity by way of endpoint detection and response solution, and a centralized solution for logging and security event alerting; and
• Risk assessments by external experts at least once every three years.

Enforcement and Penalty Clarifications

The Draft Amendments also would clarify two aspects of enforcement of the Cybersecurity Rule. First, the Draft Amendments would make clear that the commission of a single act prohibited by or the failure to satisfy an obligation required by the Cybersecurity Rule would constitute a violation of the Rule. Second, the Draft Amendments would clarify that the NYDFS will consider certain mitigating factors when assessing penalties, including cooperation, good faith, intentionality, history of prior violations, harm to customers, gravity of violation, number of violations, and involvement of senior management.

Takeaways

The Draft Amendments signal a continued focus by the NYDFS on elevating cybersecurity requirements for covered entities. In particular, the Draft Amendments would represent the first significant overhaul of the controversial Cybersecurity Rule since it was first issued. Nonetheless, the Draft Amendments appear intended to address a number of changes that have occurred since the Rule became effective in 2017, including the rapidly evolving cyber threat landscape and, in particular, the growing prevalence of ransomware incidents. Though many aspects of the Draft Amendments reflect best practices (including those outlined in current NYDFS industry guidance), covered entities should monitor whether NYFDS formally proposes the Draft Amendments in order to ensure that they are equipped technically, organizationally, and financially to meet the heightened governance, technical, and notification obligations in the event that the Draft Amendments are adopted.