The New York Department of Financial Services (NYDFS) has finalized amendments (“Amended Regulation”) to its cybersecurity rule (“Cybersecurity Rule”) that applies to financial institutions licensed by the NYDFS. This comes after a series of proposed amendments (see our client alert, 8/30/22). The Amended Regulation includes significant changes to the Cybersecurity Rule, such as: enhanced notification requirements for cybersecurity incidents and extortion payments; requirements for more regular risk assessments; additional controls to prevent unauthorized access to information systems; and requirements for monitoring and filtering emails, as well as for annual training.
NYDFS has been and remains a bellwether regulator for cybersecurity regulation, and the rules it adopts often serve as a model for other regulators. In 2017, NYDFS was one of the first state financial regulators to impose cybersecurity requirements on covered entities. Through the Amended Regulation, NYDFS continues to break new ground by, among other things, expanding notification obligations for cybersecurity incidents, imposing heightened cybersecurity program requirements for certain large financial institutions, and creating new requirements for cybersecurity programs, such as wider-scoped multifactor authentication, privileged account controls, and more detailed asset inventories. The Amended Regulation raises the benchmark for cybersecurity regulations and provides a model for other regulators to adopt.
Enhanced Notification Obligations of Certain Incidents
- 72-Hour Notification of Cybersecurity Incidents. The Amended Regulation updates and expands notification requirements with respect to certain cybersecurity incidents.[1] Specifically, each covered entity[2] must notify the NYDFS electronically as promptly as possible, but no later than 72 hours after determining that a “Cybersecurity Incident” has occurred.[3] Cybersecurity Incident is defined as a cybersecurity event[4] that has occurred at the covered entity, its affiliates, or a third-party service provider that: (i) impacts the covered entity and requires the covered entity to notify any government body, self-regulatory agency, or any other supervisory body; (ii) has a reasonable likelihood of materially harming any material part of the normal operation(s) of the covered entity; or (iii) results in the deployment of ransomware within a material part of the covered entity’s information systems.[5] Each covered entity also must promptly provide to the NYDFS any information requested regarding the incident. Covered entities have a continuing obligation to update the NYDFS with material changes or new information previously unavailable.[6]
The new amended notification rule also imposes new regulations with respect to third-party service providers of covered entities. While the pre-Amended Regulation notice rule governed covered entities’ responses to “cybersecurity events,”[7] such entities are now required to notify the NYDFS Superintendent “as promptly as possible” but no later than 72 hours after determining a “cybersecurity incident” (as defined above) has occurred “at the covered entity, its affiliates, or a third party service provider.”[8] These changes are similar to the United States Securities and Exchange Commission’s new Cybersecurity Disclosure Rule, which requires covered entities to report cybersecurity incidents that occur at their third-party service providers.[9] Consequentially, the Amended Regulation, in effect, imposes additional downstream pressure on third-party service providers who work with covered entities to ensure they notify their customers of triggering cybersecurity incidents. Compliance is required by December 1, 2023. - 24-Hour Notification of Extortion Payments. Each covered entity must provide the NYDFS with notice of any extortion payment made in connection with a cybersecurity event involving the covered entity within 24 hours.[10] This requirement is similar to the 24-hour ransom payment notice required by the federal Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA);[11] however, while CIRCIA is limited to payments made in response to a ransomware attack, the Amended Regulation expands the notification requirement to apply to any extortion payment related to a cybersecurity event.[12] The Amended Regulation also breaks new ground by requiring covered entities to provide a written description—within 30 days—of alternatives to payment that were considered by the entity, the reasons a payment was necessary, and the due diligence efforts performed to ensure compliance with applicable rules and regulations, such as those imposed by the Office of Foreign Asset Control for sanctions violations.[13] Compliance is required by December 1, 2023.
Heightened Risk Assessment Requirements
The Amended Regulation includes material changes to the risk assessment requirements under the Cybersecurity Rule. In particular, the Amended Regulation expands upon the definition of “Risk Assessment” by stating that a Risk Assessment means “the process of identifying, estimating and prioritizing cybersecurity risks to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, customers, consumers, other organizations, and critical infrastructure resulting from the operation of an information system. Risk Assessments incorporate threat and vulnerability analyses and consider mitigations provided by security controls planned or in place.”[14] The Amended Regulation will now require that a Risk Assessment be reviewed and updated as reasonably necessary, but at a minimum annually, and whenever a change in the business or technology causes a material change to the covered entity’s cyber risk.[15] Compliance is required by April 29, 2024.
Cybersecurity Program Requirements
The Amended Regulation includes a number of new or enhanced technical requirements to the Cybersecurity Rule, including:
- Asset Inventory. Each covered entity must implement written policies and procedures designed to produce and maintain a complete, accurate, and documented asset inventory of the entity’s information systems.[16] The asset inventory must be maintained in accordance with written policies and procedures.[17] At a minimum, such policies and procedures must include: (i) a method to track key information for each asset (e.g., owner, location, classification or sensitivity, support expiration date, and recovery time objectives); and (ii) the frequency required to update and validate the entity’s asset inventory.[18] Compliance is required by November 1, 2025.
- Access Controls for Privileged Accounts. Covered entities must now implement access controls related to privileged accounts as a part of their cybersecurity programs. These controls must:
- Restrict users’ access privileges to nonpublic information systems to those necessary to perform one’s job;[19]
- Limit the number of privileged accounts and related access functions to only those necessary to perform one’s job;[20]
- Confine the use of privileged accounts to times when users are actually performing functions requiring their use;[21]
- Annually review user access privileges;[22]
- Annually remove unnecessary accounts and access;[23]
- Securely configure protocols allowing remote control of devices;[24] and
- Promptly terminate user access following departure from the covered entity.[25]
Compliance is required by May 1, 2025.
- Passwords. The covered entity must implement a written password policy that meets industry standards.[26] Compliance is required by May 1, 2025.
- Multifactor Authentication. Multifactor authentication must be used for any individual accessing any information systems of a covered entity unless the covered entity qualifies for a limited exemption.[27] The CISO may approve in writing the use of reasonably equivalent or more secure compensating controls.[28] These controls must be reviewed periodically, but at a minimum annually.[29] Compliance is required by November 1, 2025.
- Encryption. As part of its cybersecurity program, each covered entity must implement a written policy requiring encryption that meets industry standards, to protect nonpublic information both in transit over external networks and at rest.[30] The entity may use effective alternative compensating controls that have been reviewed and approved by the CISO in writing.[31] The feasibility of encryption and effectiveness of the compensating controls must be reviewed by the CISO at least annually.[32] Compliance is required by November 1, 2024.
- Monitoring and Training. Each covered entity must implement risk-based controls designed to protect against malicious code, including those that monitor and filter web traffic and electronic mail to block malicious content.[33] Compliance is required by May 1, 2025. In addition, covered entities are required to provide periodic, but at a minimum annual, cybersecurity awareness training that includes social engineering awareness for all personnel that is updated to reflect risks identified by the covered entity in its Risk Assessment.[34] Compliance is required by April 29, 2024.
New Governance Obligations
The Amended Regulation provides for several new or enhanced governance obligations, including:
- Senior Governing Body Oversight. The Amended Regulation defines the Senior Governing Body as the board of directors (or an appropriate committee thereof) or equivalent governing body or, if neither of those exist, the senior officer or officers of a covered entity responsible for that entity’s cybersecurity program.[35] The Senior Governing Body of the covered entity is required to exercise oversight of the covered entity’s cybersecurity risk management, including by: (i) having sufficient understanding of cybersecurity-related matters to exercise such oversight, which may include the use of advisors; (ii) requiring the entity’s executive management or its designees to develop, implement, and maintain the entity’s cybersecurity program; (iii) regularly receiving and reviewing management reports about cybersecurity matters; and (iv) confirming that the entity’s management has allocated sufficient resources to implement and maintain an effective cybersecurity program.[36] Compliance is required by November 1, 2024.
- Chief Information Security Officer (CISO). The CISO must report to the board of directors or senior officer(s) on material cybersecurity issues, such as significant cybersecurity events and significant changes to the covered entity’s cybersecurity program.[37] Compliance is required by November 1, 2024.
- Cybersecurity Policy Approval. The Senior Governing Body must annually review and approve a written policy for the protection of its information systems and nonpublic information.[38] Compliance is required by April 29, 2024.
- Annual Certification of Compliance. The covered entity’s highest-ranking executive and CISO (or the seniormost officer responsible for the company’s cybersecurity program) must annually certify and acknowledge compliance with the cybersecurity program of the covered entity.[39] The notice of compliance can be submitted in one of two forms:
- (i) a written certification (a) that the entity materially complied with the requirements set forth in this rule during the prior calendar year; and (b) that is based upon data and documentation sufficient to accurately determine and demonstrate such material compliance; or
- (ii) a written acknowledgment (a) that the entity did not materially comply with all the requirements of this rule for the prior calendar year; (b) that also identifies all the sections of the rule that the entity has not materially complied with and describes the nature and extent of such noncompliance; and (c) that provides a remediation timeline or confirmation that remediation has been completed.[40]
Compliance is required by December 1, 2023.
- Business Continuity and Disaster Recovery (BCDR) Plans. Covered entities must establish written plans that contain proactive measures to investigate and mitigate cybersecurity events and to ensure operational resilience, such as BCDR plans.[41] Such plans must: identify documents, data, facilities, infrastructure, services, personnel, and competencies essential to the continued operations of the covered entity’s business; include procedures for backing up or copying, with sufficient frequency, information essential to the operations of the covered entity and storing such information offsite; and identify third parties that are necessary to the continued operations of the covered entity’s information systems.[42] Compliance is required by November 1, 2024.
New Obligations for Larger (Class A) Companies
The Amended Regulation creates additional obligations on a new category of covered entities, i.e., “Class A Companies,” defined as a covered entity with at least $20 million in gross annual revenue in each of the last two fiscal years from all business operations of the covered entity and the business operations in New York of the covered entity’s affiliates and: (i) over 2,000 employees averaged over the last two fiscal years, including employees of both the covered entity and all of its affiliates no matter where located; or (ii) over $1 billion in gross annual revenue in each of the last two fiscal years from all business operations of the covered entity and all of its affiliates no matter where located.[43] Class A Companies are subject to the following additional requirements under the Amended Regulation:
- Independent Audits. Class A Companies must design and conduct independent audits of their cybersecurity programs based on their Risk Assessments.[44] Compliance is required by April 29, 2024.
- Access Privileges and Management. Class A Companies are required to monitor privileged access activity and implement: (i) a privileged access management solution; and (ii) an automated method of blocking commonly used passwords for all accounts on information systems owned or controlled by the Class A Company and wherever feasible for all other accounts.[45] Compliance is required by May 1, 2025.
- Monitoring. Class A Companies must implement: (i) an endpoint detection and response solution to monitor anomalous activity; and (ii) a solution that centralizes logging and security event alerting.[46] Compliance is required by May 1, 2025.
Enforcement and Penalty Clarifications
- Commission of a Single Act. The Amended Regulation clarifies that the commission of a single act prohibited by the rule or the failure to act to satisfy an obligation required by the rule constitutes a violation of the Amended Regulation.[47] Such acts or failures include, without limitation: (i) the failure to secure or prevent unauthorized access to an individual’s or an entity’s nonpublic information due to noncompliance with any section of the Amended Regulation; or (ii) the material failure to comply for any 24-hour period with any section of the Amended Regulation.[48] Effective as of November 1, 2023.
- Mitigating Factors. In addition, the Amended Regulation clarifies that the NYDFS will consider certain mitigating factors when assessing penalties. Including the following:[49] (i) the extent to which the covered entity has cooperated with the NYDFS superintendent in the investigation of such acts; (ii) the good faith of the entity; (iii) whether the violations resulted from conduct that was unintentional or inadvertent, reckless or intentional and deliberate; (iv) whether the violation was a result of failure to remedy previous examination matters requiring attention, or failing to adhere to any disciplinary letter or letter of instructions; (v) any history of prior violations; (vi) the extent of harm to consumers; and (viii) the gravity of the violations.[50] Effective as of November 1, 2023.
Takeaways
According to the New York governor’s press release, the administration is “doubling down on [its] commitment to ensuring that financial institutions have safeguards in place to protect vital customer data and maintain the integrity of [the] financial system.” The Amended Regulation is effective as of November 1, 2023, and covered entities have 180 days from November 1, 2023 to comply with the Amended Regulation, with the exception that some provisions, as noted above, have a compliance date ranging from 30 days to two years from the effective date.
This relatively short implementation window, coupled with NYDFS’s status as a leader in cyber regulations may encourage other regulators to follow its lead, meaning that companies should understand how the Amended Regulation will impact their operations and compliance regimes. The expanded notification obligations relating to cybersecurity incidents, the additional requirements for cybersecurity programs, and the enhanced requirements for Class A Companies are likely to become increasingly commonplace in cyber regulations issued by other regulators and we expect the impact of the Amended Regulation will be felt far beyond the boundaries of New York.
Ken Sexauer, an associate in Morrison Foerster’s New York Office, and Kristina Hickerson, a Privacy Analyst in Morrison Foerster’s New York Office contributed to the writing of this alert.
[1] Section 500.17(a).
[2] See Section 500.1(e) (defining “covered entity” as any company that is required to register under New York’s Banking Law, Insurance Law, or Financial Services Law).
[3] Section 500.17(a)(1).
[4] See Section 500.1(f) (defining “cybersecurity event”).
[5] Section 500.1(g).
[6] Section 500.17(a)(2).
[7] See Section 500.1(f) (defining “cybersecurity event” as “any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an information system or information stored on such information system”).
[8] Section 500.17(a)(1).
[9] See Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Release No. 33-11216 (July 26, 2023) at 78–79, 170 (defining “information systems” to include electronic systems “owned or used by” a company—which includes third parties’ systems).
[10] Section 500.17(c)(1).
[11] See 6 U.S.C. 681b(a)(2).
[12] Id.
[13] Section 500.17(c)(2).
[14] Section 500.1(p).
[15] Section 500.9.
[16] Section 500.13(a).
[17] Id.
[18] Sections 500.13(a)(1)–(2).
[19] Section 500.7(a)(1).
[20] Section 500.7(a)(2).
[21] Section 500.7(a)(3).
[22] Section 500.7(a)(4).
[23] Id.
[24] Section 500.7(a)(5).
[25] Section 500.7(a)(6).
[26] Section 500.7(b).
[27] Section 500.12(a).
[28] Section 500.12(b).
[29] Id.
[30] Section 500.12(a).
[31] Section 500.12(b).
[32] Id.
[33] Section 500.14(a).
[34] Id.
[35] Section 500.1(q).
[36] Section 500.4(d).
[37] Section 500.4(c).
[38] Section 500.3.
[39] Section 500.17(b).
[40] Section 500.17(b)(1).
[41] Section 500.16(a).
[42] Section 500.16(a)(2).
[43] Section 500.1(d).
[44] Section 500.2(c).
[45] Section 500.7(c).
[46] Section 500.14(b).
[47] Section 500.20(b).
[48] Sections 500.20(b)(1)–(2).
[49] Section 500.20(c).
[50] Id.