On June 28, 2023, the New York Department of Financial Services (“NYDFS”) published updated proposed amendments to its cybersecurity regulation (the “2023 Proposal”) applicable to “covered entities.”1 Covered entities are any person operating under, or required to operate under, a license, registration, charter, certificate, permit, accreditation or similar authorization under the New York Banking Law, Insurance Law or Financial Services Law. These updated amendments come after comments from industry groups and other stakeholders to the NYDFS’s proposed revisions that were published on November 9, 2022 (the “2022 Proposal”).2 Comments on the 2023 Proposal may be submitted until August 14, 2023.
In this Legal Update, we provide a section-by-section analysis of new requirements in the 2023 Proposal. The 2023 Proposal is extensive and would significantly expand requirements for covered entities. Key new and expanded requirements include: (1) new requirements for larger companies (Class A Companies, as defined below); (2) expanded governance requirements, such as board approval for cybersecurity policies; (3) expanded cyber incident notice and compliance certification requirements; (4) expanded requirements for asset inventory; and (5) a revised multi-factor authentication requirement for user access to a company’s network.
Section 500.1 – Definitions
The 2023 Proposal would differentiate among the businesses that are subject to the cybersecurity requirements by creating “Class A Companies,” which would be covered entities with at least $20 million in gross annual revenue from operations in New York (including New York revenue of affiliates) that also have more than 2,000 employees (including employees of affiliates) or more than $1 billion in average gross annual revenue over the last two years (including revenue of affiliates). The latter measurements are not limited by geography.
The 2023 Proposal would create definitions for an “Independent Audit,” “Privileged Account,” and “Senior Governing Body,” which are discussed further in Sections 500.2, 500.7, and 500.3, respectively. It would remove language using text messaging as an example of an acceptable possession factor for multi-factor authentication.
The 2023 Proposal would add a definition of “Risk Assessment” to specify that a risk assessment is a process of identifying cybersecurity risks to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, customers, consumers, other organizations, and critical infrastructure resulting from the operation of an information system. A risk assessment would need to consider the specific circumstances of a covered entity. The 2023 Proposal would also modify the “Third Party Service Provider” definition to exclude governmental entities.
Section 500.2 – Cybersecurity Program
The 2023 Proposal would require Class A Companies to conduct an Independent Audit of their cybersecurity programs at least annually. An Independent Audit would be defined as an audit conducted by internal or external auditors free to make their decisions, not influenced by the covered entity being audited or by its owners, managers, and employees.
It also would require all covered entities to make available to NYDFS documents and other information pertaining to the parts of a cybersecurity program which were adopted by the company from an affiliate.
Section 500.3 – Cybersecurity Policy
The 2023 Proposal would clarify that a covered entity’s cybersecurity policy must be approved by the Senior Governing Body at least annually. A Senior Governing Body could be a covered entity’s board of directors (or committee thereof), or the company’s senior officer if no board exists.
It also would clarify that a covered entity should have procedures to implement its cybersecurity policy, and would add data retention, end of life management, remote access, security awareness and training, systems and application security, and vulnerability management to items that must be addressed in cybersecurity policies and procedures.
Section 500.4 – Chief Information Security Officer
The 2023 Proposal would rename the section on the chief information security officer (“CISO”) to “cybersecurity governance” and broaden the governance requirements. The proposed definition for CISO in Section 500.1 would specify that a CISO must have adequate authority and resources to ensure cybersecurity risks are appropriately managed.
In addition to the requirement to report annually to a covered entity’s Senior Governing Body regarding the cybersecurity program,3 a CISO would need to report material cybersecurity issues, including updates to risk assessments and major cyber events, in a timely manner.
If a covered entity has a board of directors, the board, or a committee thereof, would need to exercise effective oversight of management’s cybersecurity risk management and require management to develop, implement, and maintain a cybersecurity program. The board or committee also would need to have sufficient knowledge to exercise effective oversight of cyber risk.
The 2023 Proposal removed language in the 2022 Proposal that required the board of directors to have sufficient “knowledge and expertise” to oversee cyber risk, and language that required the board to “provide direction to management” on the cybersecurity program.
Section 500.5 – Penetration Testing and Vulnerability Assessments
The 2023 Proposal would expand the penetration testing and vulnerability assessment requirements by specifying that penetration testing must be conducted at least annually by a qualified internal or external party and vulnerability scans must be conducted based on the results of the risk assessments. Covered entities also would need to have a monitoring process for identifying vulnerabilities. All covered entities would need to ensure that vulnerabilities are remediated on a risk-focused basis, and material issues identified through testing are timely remediated based on the risk they pose.
The 2023 Proposal removes from this section a requirement in the 2022 Proposal that material issues be documented and be reported to the senior governing body. However, Section 500.4(c) continues to require that “material cybersecurity issues” be timely reported to the senior governing body.
Section 500.7 – Access Privileges
The 2023 Proposal would expand the access privilege requirements to emphasize the principle of least privilege and restrict protocols that permit remote control of devices. Privileged Accounts, defined as those that perform security-relevant functions that ordinary users are not authorized to perform or can affect a material change to technical or business operations, would be subject to additional requirements. Covered entities also would need to implement secure password rules, and Class A Companies would need to implement additional controls over Privileged Accounts.
Section 500.8 – Application Security
The 2023 Proposal would specify that the CISO must review application security materials “at least annually,” instead of “periodically.”
Section 500.9 – Risk Assessment
With respect to risk assessments, the 2023 Proposal would require all covered entities to update them at least annually and conduct an impact assessment whenever a change in the business or technology causes a material change to cyber risk.
The 2023 Proposal removes the requirement from the 2022 Proposal that Class A Companies use external experts to conduct a risk assessment at least once every three years.
Section 500.10 – Cybersecurity Personnel and Intelligence
The 2023 Proposal would explicitly require a CISO and a covered entity’s Senior Governing Body to maintain appropriate oversight of an affiliate or third-party service provider that performs cybersecurity compliance activities on behalf of the covered entity.
Section 500.11 – Third Party Service Provider Security Policy
The 2023 Proposal would remove the exception that an agent, employee, representative or designee of a covered entity that is itself regulated by NYDFS need not develop its own third-party information security policy if it follows the policy of a covered entity.
However, note that Section 500.19(c) continues to exempt such agents, employees, representatives, and designees from the need to have a cybersecurity program to the extent that they follow the cybersecurity program of another covered entity.
Section 500.12 – Multi-Factor Authentication
The 2023 Proposal would require the use of multi-factor authentication for any individual accessing the information systems except where the CISO has approved reasonably equivalent compensating controls. Compensating controls must be reassessed at least annually.
Smaller companies that qualify for an exemption under 500.19(a) would be required to use multi-factor authentication only for remote access and privileged accounts.
The 2023 Proposal expands the multi-factor authentication requirements, as the current rule only requires MFA for remote access.
Section 500.13 – Limitations on Data Retention
The 2023 Proposal would include a requirement that a covered entity maintain an asset inventory of technology resources. It would specify the information that must be collected and maintained for each asset, and would require that the information be updated and validated as determined by the covered entity.
The 2023 Proposal narrowed similar language in the 2022 Proposal by adding language clarifying that the asset inventory must be of the covered entity’s information systems, as opposed to all assets.
Section 500.14 – Training and Monitoring
The 2023 Proposal would expand the monitoring requirements to require a covered entity to monitor and filter internet traffic and emails to block malicious content. Covered entities also would need to provide training, exercises, and simulations on cybersecurity and social engineering (such as phishing).
A Class A Company would be required to implement endpoint detection, anomalous activity monitoring, centralized logging, and security event alerting, unless the CISO has determined in writing that it would use a reasonably equivalent or more secure control.
Section 500.15 – Encryption of Nonpublic Information
The 2023 Proposal would require covered entities to maintain written encryption policies that meet industry standards and document approval of compensating controls for the non-use of encryption in writing.
Section 500.16 – Incident Response Plan
The 2023 Proposal would expand the incident response plan requirement to include business continuity and disaster recovery (“BCDR”) planning for cybersecurity events. Incident and BCDR plans would need to be distributed or made accessible to relevant employees, subject to training, and periodically tested at least annually. Incident response planning would also require post-event root cause analysis of the incident.
Covered entities also would be required to test their ability to restore systems from backups and maintain protected backups at least once a year.
The 2023 Proposal added language to the 2022 Proposal that specifies the required BCDR planning is for recovery from cybersecurity events, as opposed to recovery from all potential disruptions to normal business activities.
Section 500.17 – Notices to Superintendent
The 2023 Proposal would expand the cybersecurity event notification requirement to expressly cover three categories of cybersecurity events: (i) cybersecurity events where an unauthorized user has gained access to a privileged account; (ii) cybersecurity events that resulted in the deployment of ransomware within a material part of the covered entity’s information system; or (iii) cybersecurity events at a third-party service provider that affect a covered entity. It also would require a covered entity to provide and update information that NYDFS may request regarding the investigation of the cybersecurity event.
It also would add a new notification requirement for extortion payments. A covered entity would be required to notify NYDFS of an extortion payment made in connection with a cybersecurity event within 24 hours of making the payment. The covered entity then would be required to provide notice to NYDFS within 30 days of the reasons payment was necessary, a description of alternatives to payment considered, all diligence performed to find alternatives to payment, and all diligence performed to ensure compliance with applicable rules and regulations, including those of the Office of Foreign Assets Control.
The 2023 Proposal would expand the annual compliance certification for non-compliance with the requirements by requiring written disclosure of requirements that the covered entity has not fully complied with and the nature of such non-compliance. It would also require that the certification be based on documentation sufficient to demonstrate full compliance, such as reports or sub-certifications.
The compliance certification would need to be signed by the covered entity’s highest-ranking executive and CISO (or other person responsible for cybersecurity).
This 2023 Proposal makes several changes from the 2022 Proposal, including a new the requirement that companies certify material compliance throughout the prior year, and the removal of the requirement that a written acknowledgement of non-compliance include information such as systems that require improvement and a timeline for remediation.
Section 500.19 – Exemptions
The 2023 Proposal would modestly expand number of companies that qualify for small-company exemptions from some cybersecurity requirements by raising the personnel threshold from 10 to 20 and the total assets threshold from $10 million to $15 million. It would also expand the list of fully exempt licensees from the regulation entirely to include reciprocal jurisdiction reinsurers, inactive individual insurance agents and brokers, and inactive individual mortgage loan originators.
The 2023 Proposal would also require that companies that ceased to be eligible for an exemption would have 180 days to come into compliance.
Section 500.20 – Enforcement
The 2023 Proposal would expand the enforcement provision by specifying that a single act, or failure to act, constitutes a violation of the cybersecurity requirements, including the failure to materially comply for any 24-hour period with any requirement. It also would list factors that NYDFS will consider when assessing a penalty for a violation, such as a covered entity’s history of prior violations.
The 2023 Proposal changed the requirement for a violation for each 24-period by adding a requirement that such violation be material.
Section 500.21 – Effective Date
The revisions would become effective upon adoption by NYDFS, subject to the transitional arrangements discussed below.
Section 500.22 – Transitional Periods
Covered entities generally would be required to comply with the revisions within 180 days of adoption by NYDFS. However, some provisions in the proposal have different effective dates:
- 30 days after adoption: requirements for cybersecurity event notification and annual compliance certification
- One year after adoption: requirements for incident response planning and BCDR, governance, encryption, and the size-based exemption
- 18 months after adoption: requirements for vulnerability scanning, password controls, and enhanced monitoring controls for Class A Companies
- Two years after adoption: requirements for an asset inventory and multi-factor authentication
NEW Section 500.24 – Exemptions from Electronic Filing and Submission Requirements
The 2023 Proposal would add a new section that allows a covered entity to request an exemption from having to make an electronic filing or a submission as part of compliance with a requirement.
Section 500 Appendices – Certification of Compliance and Notice of Exemption
The 2023 Proposal would delete the appendices that contain model forms of the certification of compliance and notice of exemption. Absent an exemption, the 2023 Proposal would require filings by covered entities to be submitted electronically.
The 2023 Proposal would significantly expand the cybersecurity requirements for companies regulated by NYDFS, particularly larger companies that would fall within the definition of Class A Companies. Some new requirements may also require extensive modifications to existing systems (e.g., attributes in asset inventories).
While the amendments are subject to notice-and-comment, covered entities will likely benefit from considering how they would meet these requirements if they are finalized in substantially similar form. In addition, businesses that are not subject to the DFS regulation may benefit from reviewing these regulations to understand potential future trends, as DFS cyber regulations have a history of being adopted by other state and federal regulators.
1 NYDFS, Updated Proposed Second Amendment to 23 N.Y.C.R.R. pt. 500 (June 28, 2023), https://www.dfs.ny.gov/system/files/documents/2023/06/rev_rp_23a2_text_20230628.pdf; NYDFS, Cybersecurity Requirements for Financial Services Companies XLV (No. 26) N.Y. Reg. 23-27 (June 28, 2023), https://dos.ny.gov/system/files/documents/2023/06/062823.pdf.
2 NYDFS, Cybersecurity Requirements for Financial Services Companies XLIV (No. 45) N.Y. Reg. 26-28 (Nov. 9, 2022), https://dos.ny.gov/november-9-2022vol-xliv-issue-45.