On July 29, the New York Department of Financial Services
(NYDFS) released Draft Amendments to its Part 500 Cybersecurity
Rules that include a number of significant amendments to the rules,
including notification requirements such as a mandatory 24-hour
notification for cyber ransom payments, specific requirements for
newly defined larger entities, increased expectations for oversight
of cybersecurity risk, additional requirements for incident
response plans (IRPs), business continuity and training, risk
assessments, and new technical requirements. The Draft Amendments
can be found here. The 10-day pre-proposal comment period
would have ended today, Aug. 8, 2022, but NYDFS has extended the
comment period for an additional 10 days, with a new deadline of
Aug. 18, 2022. The official proposed amendments will be published
following the comment period.
NYDFS Cybersecurity Event Notifications
The Draft Amendments create several new notification
requirements:
- A 72-hour obligation to notify NYDFS of any cybersecurity event
in which an unauthorized user has gained access to a privileged
account or any cybersecurity event that results in the deployment
of ransomware within a material part of the covered entity's
information systems. - A 24-hour obligation to notify NYDFS of any extortion payment
connected with a cybersecurity event, as well as a 30-day reporting
requirement explaining why payment was necessary, alternatives that
were considered and the sanctions diligence that was
conducted.
Class A Companies
The Draft Amendments create a new category of "Class
A" companies, which are covered entities with over 2,000
employees or over $1 billion in gross annual revenues averaged over
the past three years from all business operations of the company
and its affiliates. Class A companies are subject to several
additional cybersecurity obligations, including the following:
- An independent audit of the company's cybersecurity program
must be conducted at least annually. - External experts must be engaged at least once every three
years to conduct a risk assessment. - Systematic scans or reviews of information systems must be
conducted at least weekly, and any material gaps found during
testing must be documented and reported to the board and senior
management. - A password vaulting solution must be implemented for privileged
accounts, along with an automated method of blocking commonly used
passwords, unless the CISO approves in writing the use of
reasonably equivalent or more secure access controls. Privileged
access activity must also be monitored. - An endpoint detection and response solution must be implemented
to monitor anomalous activity, including lateral movement, as well
as centralized logging and security event alerting.
Governance
The Draft Amendments provide several additions to the Part 500
governance requirements:
- The CISO must have adequate independence and authority to
appropriately manage cyber risks. - The CISO will need to provide additional annual reporting to
the board on plans for remediating inadequacies, as well as timely
reporting to the board on material cybersecurity issues or major
cybersecurity events. - The board will be required to have sufficient expertise and
knowledge (or be advised by persons with sufficient expertise and
knowledge) to exercise effective oversight of cyber risk. - The board will be required to approve the company's
cybersecurity policies. - Covered entities must periodically test their (1) IRPs with all
staff who are critical to the response, including senior officers
and the CEO; (2) business continuity and disaster recovery plans
(BCDR plans) with all staff who are critical to the continuity and
response effort, including senior officers; and (3) ability to
restore their systems from backups. IRPs must address ransomware
incidents and include recovery from backups.
Risk Assessments
The Draft Amendments make several changes to the risk assessment
requirements in Part 500, including:
- Assessments will be required to be tailored to the specific
organization: "Risk assessment means . . . the process of
identifying cybersecurity risks to organizational operations
(including mission, functions, image, and reputation),
organizational assets, individuals, customers, consumers, other
organizations, and critical infrastructure resulting from the
operation of an information system. Risk assessments shall take
into account the specific circumstances of the covered entity,
including but not limited to its size, staffing, governance,
businesses, services, products, operations, customers,
counterparties, service providers, vendors, other relations and
their locations, as well as the geographies and locations of its
operations and business relations . . . ." - The risk assessments must be updated annually and an impact
assessment must be conducted whenever a change in the business or
technology causes a material change to the company's cyber
risk.
Incident Response Plans, Business Continuity and
Training
The Draft Amendments make changes to the existing requirement
for covered entities to have an IRP. The Draft Amendments would
require that covered entities have written plans that include
proactive measures to mitigate disruptive events and ensure
operational resilience.
- The current version of the Cybersecurity Rules requires covered
entities to have an IRP that is designed to promptly respond to and
recover from any cybersecurity event materially affecting the
covered entity's information systems or the continuing
functionality of any aspect of the covered entity's business or
operations. The Draft Amendments would also require that IRPs
address recovery from backups in the event of a ransomware incident
and contain plans for updating the IRP as necessary. In addition,
the Draft Amendments require that covered entities periodically
test their IRPs with all staff critical to the response, including
senior officers and the CEO, and revise the plan as necessary. - The Draft Amendments require covered entities to implement a
BCDR plan that is reasonably designed to ensure the availability
and functionality of the covered entity's services and protect
the covered entity's personnel, assets, and nonpublic
information in the event of an emergency or other disruption to its
normal business activities. In addition to the below, covered
entities would be required to periodically test their BCDR plans
with all staff critical to the continuity and response effort,
including senior officers. - BCDR plans must include, at a minimum:
- Identification of documents, data facilities, infrastructure,
personnel, and competencies essential to the continued operations
of the covered entity's business.
- Identification of the personnel responsible for the
implementation of each aspect of the plan.
- A plan to communicate with essential persons in the event of an
emergency or other disruption to the covered entity's
operations.
- Procedures for appropriate maintenance and staffing of backup
facilities, systems, and infrastructure, as well as other resources
to enable the timely recovery of data and to resume operations as
soon as reasonably possible.
- Procedures for the backup or copying, with sufficient
frequency, of documents and data essential to the operations of the
covered entity, and for storing the information offsite.
- Identification of third parties necessary to the continued
operations of the covered entity's business.
- Identification of documents, data facilities, infrastructure,
- These plans must be distributed to all relevant employees and
copies must be maintained at one or more accessible off-site
locations. - Training must be provided to all employees responsible for
implementing the plans.
Technology
The Draft Amendments also add several new technology
requirements, including:
- Policies and procedures to ensure a complete asset inventory
that tracks information (e.g., owner, location, classification or
sensitivity, support expiration date, and recovery time
requirements) for all hardware, operating systems, applications,
infrastructure devices, APIs and cloud services. - Privileged accounts requirements, including that (1) the access
functions of privileged accounts be limited to only those necessary
to perform the user's job function; (2) multifactor
authentication (MFA) be set up for all privileged accounts, except
for certain service accounts; and (3) all protocols that permit
remote control of devices be disabled or securely configured. - Each covered entity would be required to maintain backups
isolated from network connections.
The current version of the Cybersecurity Rules permitted a CISO
to approve in writing the use of reasonably equivalent alternative
controls for external access to a covered entity's internal
network. The Draft Amendments would remove this discretion and
require MFA for all remote access to the network as well as for
enterprise and third-party applications from which nonpublic
information is accessible.
KEY TAKEAWAYS
- Implement MFA for remote access and access to applications
storing nonpublic information. - Implement IRPs and BCDR plans.
- IRPs and BCDR plans are separate and are intended to address
different types of organizational risks. They should be used in
conjunction when responding to a cybersecurity incident.
- Periodically test these plans by holding tabletop
exercises.
- IRPs and BCDR plans are separate and are intended to address
- Develop – and test – a backup communications plan
in the event that normal methods of communication are unavailable
or insecure. - Consider developing an asset inventory now, as it takes time to
develop. - NYDFS has in the past issued fines for what it deemed to be
misrepresentations made in companies' annual certifications.
This has been a challenging area for companies that identified and
addressed a compliance issue but, pursuant to guidance from NYDFS,
could not certify compliance for that year (because they had not
been compliant for the entire year). The Draft Amendments would
allow for an acknowledgement of less-than-full compliance with an
identification of the specific deficiencies, but companies must be
prepared to provide the NYDFS with their documentation of remedial
efforts planned and underway, along with a timeline for
implementation of those efforts. - The Draft Amendments will likely take effect in 2023, and
companies should consider the budget needed to comply with the
additional proposed requirements.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
Gloss