On November 1, the New York Department of Financial Services (“DFS” or the “Agency”) announced finalized amendments to its Cybersecurity Regulation applicable to DFS-regulated entities.[1] The finalized amendments to the Cybersecurity Regulation (the “Amendments”) contain significant revisions designed to mandate preventative measures to address common attack vectors and enhance cybersecurity governance, bringing more formality and uniformity to the assessment and mitigation of a covered entity’s specific cybersecurity risks.[2] The Amendments may also portend future changes to cybersecurity regulations outside of DFS, as the original DFS Cybersecurity Regulation influenced many existing cybersecurity requirements in other areas of the law.
The Amendments mark the Agency’s first set of significant changes to its Cybersecurity Regulation since its inception in 2017, and follow over a year-long process after the initial draft of the Amendments was first published for public comment back in July of 2022.[3] Updates to existing reporting requirements (e.g., the cybersecurity event notification and annual compliance certification obligations) will go into effect on December 1; however, for most provisions, entities will have 180 days (i.e., until April of 2024) to comply, while certain other provisions (such as those related to incident response planning, governance and encryption) will have different transitional periods for compliance as further set forth in the Amendments.
Below, we have detailed six (6) areas of the most noteworthy changes under the Amendments, followed by some key takeaways for covered entities to consider when revising their cybersecurity programs for compliance with the amended Cybersecurity Regulation.
1. Heightened Compliance Obligations for Newly-Defined “Class A Companies.” One of the key changes set forth in the Amendments is the creation of a new, distinct category of regulated firms defined as “class A companies,”—a term for entities that are larger, more complex and assumed by DFS to have more resources available to address cybersecurity risks.[4] While most of the Amendments will apply uniformly to all covered entities, class A companies are subject to stricter compliance obligations, including requirements to (a) design and conduct annual, independent audits of its cybersecurity program, (b) monitor user privileged access activity, including by implementing a privileged access management system and an automated method of blocking commonly used passwords for all accounts and (c) implement endpoint detection and response solutions to monitor anomalous activity and a centralized logging and security event alerting solution, unless the covered entity’s Chief Information Security Officer (“CISO”) approves, in writing, reasonable equivalent or more secure compensating controls.
2. Mandatory Revisions to Cybersecurity Policies and Procedures. Most of the changes advanced by the Amendments mandate revisions to internal cybersecurity policies and procedures, including access control, business continuity and incident response plans and policies, which now must be approved annually approved by the covered entity’s senior governing body (discussed below). Most notably, the Amendments significantly expand the required technical and organizational safeguards a covered entity must utilize to protect its information technology systems and, now expressly, the nonpublic information stored thereon. Such measures include (a) modifications to a covered entity’s vulnerability management program, including heightened requirements to conduct annual penetration testing from both inside and outside the information systems’ boundaries by a qualified party and automated scans and manual review of information systems to discover, analyze and address vulnerabilities, and to timely remediate all such identified vulnerabilities, (b) obligations to establish plans that contain proactive measures to investigate and mitigate cybersecurity events and to ensure operational resilience (including incident response, business continuity and disaster recovery plans) that are distributed or otherwise accessible to all employees as necessary, and annually tested, (c) maintenance of “asset inventories” to track key information for each information security asset, (d) requirements to conduct annual cybersecurity awareness training that covers social engineering for all personnel and training for employees regarding implementation of the covered entity’s incident response, business continuity and disaster recovery plans, including with respect to such employees’ relevant roles and responsibilities, (e) implementation of risk-based controls designed to protect against malicious code, including those that monitor and filter web traffic and electronic mail to block malicious content and (f) periodic review of all user access privileges to remove or disable accounts that are no longer active or necessary and to reduce the scope of users with access to nonpublic information overall.
Most notably, mandatory utilization of both encryption and multi-factor authentication (“MFA”) are also broadened under the Amendments—an unsurprising revision given that the lack of MFA implementation has played a key part in many of DFS’s enforcement actions, such as its $30 million settlement with Robinhood Crypto LLC (as previously discussed here). Through consent decrees and DFS-published industry guidance, the Agency has made its position clear that “multi-factor authentication is an essential part of cybersecurity hygiene” as MFA weaknesses are often one of the most common and easily exploitable gaps in an organization’s cybersecurity resiliency. Accordingly, the Amendments require MFA be utilized not only for external network access as previously required, but also for all remote access to the covered entity’s systems and third party applications from which nonpublic information is available and all access by any privileged accounts, in each case, unless the CISO approves, in writing, a reasonable equivalent or more secure compensating control.
3. New Governance Requirements. In line with recent regulatory trends, the Amendments reveal DFS’s shift beyond technical regulation toward regulating covered entities’ cybersecurity governance and expertise. Most of the increased responsibilities lie with a covered entity’s CISO, but “senior governing bodies”, such as a board of directors or an appropriate committee thereof,[5] also assume increased accountability for their organization’s cybersecurity program under the Amendments. Specifically, the Amendments mandate that:
a. The CISO must timely report any material cybersecurity issues, including significant updates to the covered entity’s cybersecurity program or significant cybersecurity events, to the covered entity’s senior governing body; and
b. The senior governing body must exercise oversight over the covered entity’s cybersecurity risk management, including by (i) having sufficient understanding of cybersecurity-related matters to exercise oversight (which may include the use of advisors), (ii) requiring the covered entity’s executive management or its delegates to develop, implement and maintain the covered entity’s cybersecurity program, (iii) regularly receiving and reviewing management reports about cybersecurity matters and (iv) confirming that the covered entity’s management has allocated sufficient resources to implement and maintain an effective cybersecurity program.
4. Enhanced Extortion Payment Reporting Requirements. In addition to the 72-hour notification requirement for certain cybersecurity incidents,[6] the Amendments create additional notification obligations for covered entities in the event the covered entity makes an extortion payment in connection with a cybersecurity event. Specifically, a covered entity must notify the superintendent of the payment within twenty-four (24) hours via the DFS website and, within thirty (30) days of payment, provide a written description of the reasons payment was necessary, a description of alternatives to payment considered, all diligence performed to find alternatives to payment and all diligence performed to ensure compliance with applicable rules and regulations including those of the Office of Foreign Assets Control.
5. Alternative “Acknowledgement of Non-Compliance.” If a covered entity fails to file its annual compliance certification requirement,[7] covered entities are now provided an alternative under the Amendments to file a written acknowledgement of noncompliance, describing the nature and extent of noncompliance and the areas, systems and processes that require material improvement and redesign. The submission will require covered entities to include (a) an acknowledgement that, for the prior calendar year, the covered entity did not materially comply with the Cybersecurity Regulation, (b) identification of all sections of the Cybersecurity Regulation that the entity did not materially comply with and describe the nature and extent of such noncompliance, (c) remediation timeline or confirmation that remediation has been completed and (d) a signature from the covered entity’s highest ranking executive and its CISO. This new reporting mechanism is expected to reduce the need for DFS to follow up with entities who fail to submit certification.
6. Enforcement. The Amendments clarify that the commission of a single act prohibited by the Cybersecurity Regulation or any failure to act to satisfy obligations imposed by the Cybersecurity Regulation constitute a violation subject to Agency enforcement. Such acts or failures include any failure to secure or prevent authorized access to nonpublic information due to noncompliance with the Cybersecurity Regulation or any failure to comply with the Cybersecurity Regulation for any 24-hour period with any provision thereunder. In assessing penalties, the superintendent may consider a variety of factors, such as (a) the extent to which the covered entity has cooperated with the superintendent’s investigation, (b) the gravity of the violation, (c) the extent of harm to consumers, (d) whether the conduct in question was unintentional or inadvertent, reckless or international and deliberate, (e) whether the violation involved an isolated incident and (f) the existence of repeat violations, systemic violations or a pattern of violations or any history of prior violations.
Key Takeaways. While, as noted above, compliance with the Amendments is not mandated until April of 2024, covered entities should commit to ongoing review of their cybersecurity program and governance to ensure compliance with the Cybersecurity Regulation as revised. Where gaps or deficiencies are identified, covered entities should work diligently to address, remediate or mitigate such risks not only to ensure compliance and avoid liability under the Cybersecurity Regulation, but also to prevent the most common types of cyber-attacks and protect their organization’s most critical assets. Companies that are not regulated by DFS should nevertheless be aware of the Amendments and any subsequent guidance or DFS enforcement actions, as the new rules may preview requirements that will apply more broadly in the future.
[1] See 23 NYCRR Part 500.
[2] A redlined version of the Cybersecurity Regulation as amended can be found here.
[3] The Amendments also follow a series of enforcement actions undertaken by the Agency over the last few years. Specifically, DFS has imposed fines on non-compliant covered entities ranging from $1.5 million for data breach reporting failures to $30 million for significant anti-money laundering, cybersecurity and consumer protection violations. To date, most of the Agency’s enforcement actions have concentrated on deficits in an organization’s cybersecurity program, such as failures to implement multi-factor authentication and other access controls, or failures to conduct periodic risk assessments to identify vulnerabilities and inform the design of an organization’s security program.
[4] Specifically, the Amendments define class A companies to include covered entities that (i) have at least $20 million in gross annual revenues in each of the last two (2) fiscal years from the business operations of the covered entity and its New York-based affiliates and (ii) either (a) averaged more than 2,000 employees in the last two (2) fiscal years between the covered entity and its affiliates, no matter where located or (b) have over $1 billion in gross annual revenues in each of the last two (2) fiscal years from all business operations of the covered entity and its affiliates. Note that for calculation purposes, affiliates as used in this definition are limited to only include those that share information systems, cybersecurity resources or all or any part of a cybersecurity program with the covered entity.
[5] The Amendments define “senior governing body” as “the board of directors (or an appropriate committee thereof) or equivalent governing body or, if neither of those exist, the senior officer or officers of the covered entity responsible for the covered entity’s cybersecurity program.”
[6] The Amendments define cybersecurity incidents as “a cybersecurity event that has occurred at the covered entity, its affiliates or a third-party service provider that (a) impacts the covered entity and requires the covered entity to notify any government body, self-regulatory agency or any other supervisory body, (b) has a reasonable likelihood of materially harming any material part of the normal operation(s) of the covered entity or (c) results in the deployment of ransomware within a material part of the covered entity’s information systems.”
[7] The Amendments also now permit covered entities to submit certification of compliance where the entity has materially complied with the Cybersecurity Regulation during the prior calendar year, so long as such certification is based on data and documentation sufficient to accurately determine and demonstrate such material compliance.