NYDFS Proposed Amendments To Its Cybersecurity Rules – Security

On July 29, the New York Department of Financial Services
(NYDFS) released Draft Amendments to its Part 500 Cybersecurity
Rules that include a number of significant amendments to the rules,
including notification requirements such as a mandatory 24-hour
notification for cyber ransom payments, specific requirements for
newly defined larger entities, increased expectations for oversight
of cybersecurity risk, additional requirements for incident
response plans (IRPs), business continuity and training, risk
assessments, and new technical requirements. The Draft Amendments
can be found here. The 10-day pre-proposal comment period
would have ended today, Aug. 8, 2022, but NYDFS has extended the
comment period for an additional 10 days, with a new deadline of
Aug. 18, 2022. The official proposed amendments will be published
following the comment period.

NYDFS Cybersecurity Event Notifications

The Draft Amendments create several new notification
requirements:

• A 72-hour obligation to notify NYDFS of any cybersecurity event
  in which an unauthorized user has gained access to a privileged
  account or any cybersecurity event that results in the deployment
  of ransomware within a material part of the covered entity's
  information systems.
• A 24-hour obligation to notify NYDFS of any extortion payment
  connected with a cybersecurity event, as well as a 30-day reporting
  requirement explaining why payment was necessary, alternatives that
  were considered and the sanctions diligence that was
  conducted.

Class A Companies

The Draft Amendments create a new category of "Class
A" companies, which are covered entities with over 2,000
employees or over $1 billion in gross annual revenues averaged over
the past three years from all business operations of the company
and its affiliates. Class A companies are subject to several
additional cybersecurity obligations, including the following:

• An independent audit of the company's cybersecurity program
  must be conducted at least annually.
• External experts must be engaged at least once every three
  years to conduct a risk assessment.
• Systematic scans or reviews of information systems must be
  conducted at least weekly, and any material gaps found during
  testing must be documented and reported to the board and senior
  management.
• A password vaulting solution must be implemented for privileged
  accounts, along with an automated method of blocking commonly used
  passwords, unless the CISO approves in writing the use of
  reasonably equivalent or more secure access controls. Privileged
  access activity must also be monitored.
• An endpoint detection and response solution must be implemented
  to monitor anomalous activity, including lateral movement, as well
  as centralized logging and security event alerting.

Governance

The Draft Amendments provide several additions to the Part 500
governance requirements:

• The CISO must have adequate independence and authority to
  appropriately manage cyber risks.
• The CISO will need to provide additional annual reporting to
  the board on plans for remediating inadequacies, as well as timely
  reporting to the board on material cybersecurity issues or major
  cybersecurity events.
• The board will be required to have sufficient expertise and
  knowledge (or be advised by persons with sufficient expertise and
  knowledge) to exercise effective oversight of cyber risk.
• The board will be required to approve the company's
  cybersecurity policies.
• Covered entities must periodically test their (1) IRPs with all
  staff who are critical to the response, including senior officers
  and the CEO; (2) business continuity and disaster recovery plans
  (BCDR plans) with all staff who are critical to the continuity and
  response effort, including senior officers; and (3) ability to
  restore their systems from backups. IRPs must address ransomware
  incidents and include recovery from backups.

Risk Assessments

The Draft Amendments make several changes to the risk assessment
requirements in Part 500, including:

• Assessments will be required to be tailored to the specific
  organization: "Risk assessment means . . . the process of
  identifying cybersecurity risks to organizational operations
  (including mission, functions, image, and reputation),
  organizational assets, individuals, customers, consumers, other
  organizations, and critical infrastructure resulting from the
  operation of an information system. Risk assessments shall take
  into account the specific circumstances of the covered entity,
  including but not limited to its size, staffing, governance,
  businesses, services, products, operations, customers,
  counterparties, service providers, vendors, other relations and
  their locations, as well as the geographies and locations of its
  operations and business relations . . . ."
• The risk assessments must be updated annually and an impact
  assessment must be conducted whenever a change in the business or
  technology causes a material change to the company's cyber
  risk.

Incident Response Plans, Business Continuity and
Training

The Draft Amendments make changes to the existing requirement
for covered entities to have an IRP. The Draft Amendments would
require that covered entities have written plans that include
proactive measures to mitigate disruptive events and ensure
operational resilience.

• The current version of the Cybersecurity Rules requires covered
  entities to have an IRP that is designed to promptly respond to and
  recover from any cybersecurity event materially affecting the
  covered entity's information systems or the continuing
  functionality of any aspect of the covered entity's business or
  operations. The Draft Amendments would also require that IRPs
  address recovery from backups in the event of a ransomware incident
  and contain plans for updating the IRP as necessary. In addition,
  the Draft Amendments require that covered entities periodically
  test their IRPs with all staff critical to the response, including
  senior officers and the CEO, and revise the plan as necessary.
• The Draft Amendments require covered entities to implement a
  BCDR plan that is reasonably designed to ensure the availability
  and functionality of the covered entity's services and protect
  the covered entity's personnel, assets, and nonpublic
  information in the event of an emergency or other disruption to its
  normal business activities. In addition to the below, covered
  entities would be required to periodically test their BCDR plans
  with all staff critical to the continuity and response effort,
  including senior officers.
• BCDR plans must include, at a minimum:
  • Identification of documents, data facilities, infrastructure,
    personnel, and competencies essential to the continued operations
    of the covered entity's business.
  • Identification of the personnel responsible for the
    implementation of each aspect of the plan.
  • A plan to communicate with essential persons in the event of an
    emergency or other disruption to the covered entity's
    operations.
  • Procedures for appropriate maintenance and staffing of backup
    facilities, systems, and infrastructure, as well as other resources
    to enable the timely recovery of data and to resume operations as
    soon as reasonably possible.
  • Procedures for the backup or copying, with sufficient
    frequency, of documents and data essential to the operations of the
    covered entity, and for storing the information offsite.
  • Identification of third parties necessary to the continued
    operations of the covered entity's business.
• These plans must be distributed to all relevant employees and
  copies must be maintained at one or more accessible off-site
  locations.
• Training must be provided to all employees responsible for
  implementing the plans.

Technology

The Draft Amendments also add several new technology
requirements, including:

• Policies and procedures to ensure a complete asset inventory
  that tracks information (e.g., owner, location, classification or
  sensitivity, support expiration date, and recovery time
  requirements) for all hardware, operating systems, applications,
  infrastructure devices, APIs and cloud services.
• Privileged accounts requirements, including that (1) the access
  functions of privileged accounts be limited to only those necessary
  to perform the user's job function; (2) multifactor
  authentication (MFA) be set up for all privileged accounts, except
  for certain service accounts; and (3) all protocols that permit
  remote control of devices be disabled or securely configured.
• Each covered entity would be required to maintain backups
  isolated from network connections.

The current version of the Cybersecurity Rules permitted a CISO
to approve in writing the use of reasonably equivalent alternative
controls for external access to a covered entity's internal
network. The Draft Amendments would remove this discretion and
require MFA for all remote access to the network as well as for
enterprise and third-party applications from which nonpublic
information is accessible.

KEY TAKEAWAYS

• Implement MFA for remote access and access to applications
  storing nonpublic information.
• Implement IRPs and BCDR plans.
  • IRPs and BCDR plans are separate and are intended to address
    different types of organizational risks. They should be used in
    conjunction when responding to a cybersecurity incident.
  • Periodically test these plans by holding tabletop
    exercises.
• Develop – and test – a backup communications plan
  in the event that normal methods of communication are unavailable
  or insecure.
• Consider developing an asset inventory now, as it takes time to
  develop.
• NYDFS has in the past issued fines for what it deemed to be
  misrepresentations made in companies' annual certifications.
  This has been a challenging area for companies that identified and
  addressed a compliance issue but, pursuant to guidance from NYDFS,
  could not certify compliance for that year (because they had not
  been compliant for the entire year). The Draft Amendments would
  allow for an acknowledgement of less-than-full compliance with an
  identification of the specific deficiencies, but companies must be
  prepared to provide the NYDFS with their documentation of remedial
  efforts planned and underway, along with a timeline for
  implementation of those efforts.
• The Draft Amendments will likely take effect in 2023, and
  companies should consider the budget needed to comply with the
  additional proposed requirements.