On November 9, 2022, the New York Department of Financial
Services ("NYDFS") announced the publication of the official proposed amendments to its 2017 Cybersecurity Regulation 23 NYCRR 500
("Proposed Amendments"). This announcement follows a
highly active pre-proposal comment period, during which industry
stakeholders shared their thoughts with the NYDFS on the changes
under consideration, which we covered here for an Overview, here for a Q and A, and during a webcast. The 60-day public comment period to
the Proposed Amendments ends on January 9, 2023. In this blog post,
we discuss our initial observations on significant changes between the new release
and the pre-proposal.
Highlights of what we learned from the revisions:
- NYDFS took the time to ingest comments and clarify
interpretations, so the next round of comments is very
important. - The Revised Proposal softens the definition of Class A
companies. - The Revised Proposal softens the prescriptive requirements
around key controls, bringing back some of the risk-based elements
of the existing Part 500. - NYDFS understands that the implementation periods for some
technical elements were too aggressive and has softened those
requirements.
Revised Definition of Class A Companies and of Other Key
Terms
In the pre-proposal, NYDFS created a new category of companies
called "Class A" companies. Class A companies were
defined as those with over 2,000 employees as part of the covered
entity and its affiliates OR those companies with over $1 billion
in gross annual revenues averaged over the last three years for the
covered entity and affiliates. The Proposed Amendments revised the
definition of Class A Companies. The new formulation appears
designed to reduce the scope of the Class A Companies.
- As a threshold, the Covered Entity must have an
in-state (New York) gross annual revenue of
"at least $20,000,000"
"ineach of the last two
fiscal years from business operations of the covered
entity and its affiliates." This may exclude some
international banks with small branches in New York from the Class
A definition. - If the $20 million revenue in New York threshold is met, then:
- The Proposed Amendments now clarify that a company would be a
Class A if it has 2,000 employees as an
average over the last two fiscal years,
still accounting for the covered entity and affiliates. - Alternatively, a company can be Class A if the global
gross annual revenue threshold of $1 billion is met in
each of the last two fiscal years, as
opposed to being an average of the two.
- The Proposed Amendments now clarify that a company would be a
This revised definition addresses Question 1 from our webcast by clarifying when
a small NY branch of a larger overseas company might be considered
a Class A Company. In addition, the Proposed Amendments:
- Remove the possibility that an internal audit can satisfy an
"independent audit" by making clear that an audit must be
conducted by an external auditor; - Carve out "governmental entity" from the definition
of a "third party service provider"; - Change references to the CEO for requirements such as
compliance certification to the "highest-ranking executive at
the covered entity" which clarifies an ambiguity in the
pre-proposal draft that these requirements might adhere to
CEO's of parent companies of Covered Entities that themselves
did not have CEOs.
Emphasis on Certain Key Cybersecurity Domains
Certain revisions throughout the Proposed Amendments reflect
NYDFS's enhanced focus on key cybersecurity domains and
industry best practices. For example:
- Cybersecurity policies and procedures –
[500.3] the addition of data "retention," systems and
network "monitoring," "security awareness and
training," and incident "notification" to the list
of areas that must be addressed (to the extent applicable) by the
covered entity's cybersecurity policies based on its risk
assessment. - Incident Investigation – [500.16] the
addition of an explicit reference to the investigat[ive] aspects of
an incident response plan. - Annual Training and Testing of Incident Response Plan
– [500.14 & 500.16(d)(1)] the addition of a
minimum annual cadence to (1) the training requirement with an
explicit reference to social engineering exercises (expansion from
just "phishing"); and (2) the testing requirement for
incident response plans (the requirement for CEO participation is
replaced with that of the "highest-ranking executive" of
the Covered Entity). - Backups – [500.16(e)] the change of the
backup requirement from an actionoriented one (network isolation)
to a goal-oriented one (adequate protection from unauthorized
alterations or destruction). - Remedial Measures –
[500.17(b)(1)(ii)(d)] the addition of "remediation plans and
timeline for their implementation" as a required element of a
covered entity's written annual certification.
Softening of Certain Prescriptive Governance Requirements
The Proposed Amendments remove the CISO independence requirement
in the preproposal draft and adjust the mandatory nature of the
additional board reporting requirement.
- The Proposed Amendments require the CISO to have authority and
"the ability to direct sufficient resources to implement and
maintain a cybersecurity program" but remove the requirement
for CISO independence. This appears to be more practical for the
purposes of effective program implementation and oversight without
getting into locations on an org chart. - The Proposed Amendments further amend the CISO's annual
reporting to the Board or equivalent. The CISO still needs to
consider a number of factors in developing a report, but the report
no longer needs to include discussions of each such factor and does
not need to include plans for remediating inadequacies. - Finally, the Proposed Amendments seem to clarify that the
Board's role is to "exercise oversight and provide
direction to management on ... cybersecurity risk management."
Covered Entities still need to report material issues found in the
vulnerability management program to the "senior governing
body."
To view the full article, click here
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
Gloss