After a multiyear process of proposals and assessment of public comments, the New York State Department of Financial Services (NYSDFS) has made significant amendments to its Cybersecurity Regulation, 23 NYCRR Part 500. The rule is final and effective as of November 1, 2023. Let’s take a comprehensive look at each requirement of the regulation and how it has changed.
Expanded Scope and Definitions
One of the most notable changes to the NYSDFS Cybersecurity Regulation is the broadened scope of its applicability. The regulation now encompasses a wider range of entities, ensuring that not only banks and insurers but also smaller financial institutions and even third-party service providers must adhere to its requirements.
- The definition of Covered Entity has been amended to state that “Covered entity means any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law, regardless of whether the covered entity is also regulated by other government agencies.” Now, for example, if a NYS financial institution’s regulator is the NCUA, FDIC, OCC, or FRB, it will still be required to comply with the requirements of this regulation and submit its compliance (or non-compliance) to DFS. I find this to be one of the most significant changes to the regulation.
- The classification of “Class A” companies. These are covered entities with at least $20,000,000 in gross annual revenue in each of the last two fiscal years from all business operations of the covered entity and the business operations in NYS of the covered entity’s affiliates and:
- over 2,000 employees averaged over the last two fiscal years, including employees of both the covered entity and all of its affiliates no matter where located; or
- over $1,000,000,000 in gross annual revenue in each of the last two fiscal years from all business operations of the covered entity and all of its affiliates regardless of location.
- The addition of a new term, “cybersecurity incident”. With respect to notifications to NYSDFS (500.17(a)), this new term applies. The two definitions from Section 500.1 are:
- Cybersecurity event means any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt, or misuse an information system or information stored on such information system.
- Cybersecurity incident means a cybersecurity event that has occurred at the covered entity, its affiliates, or a third-party service provider that:
- impacts the covered entity and requires the covered entity to notify any government body, self-regulatory agency or any other supervisory body;
- has a reasonable likelihood of materially harming any material part of the normal operation(s) of the covered entity; or
- results in the deployment of ransomware within a material part of the covered entity’s information systems.
Section 500.2 (Cybersecurity Program) Key Changes:
- Each Class A company shall design and conduct independent audits of its cybersecurity program based on its risk assessment.
- All documentation and information relevant to the covered entity’s cybersecurity program, including the relevant and applicable provisions of a cybersecurity program maintained by an affiliate and adopted by the covered entity, shall be made available to the superintendent upon request.
Section 500.3 (Cybersecurity Policy) Key Changes:
- Policies must be approved at least annually by the senior officer or senior governing body.
- Procedures shall be developed, documented, and implemented in accordance with the written policy or policies.
- New expectations for written policies include:
- Data retention
- End of life management
- Remote access
- Systems and network security and monitoring
- Security awareness and training
- Vulnerability management
Section 500.4 (Cybersecurity Governance) Key Changes:
- Expectation to appoint a Chief Information Security Officer (can be a third party)
- Expectation for the CISO to present plans for remediating material inadequacies as part of an annual report.
- As needed presentations to the Board from the CISO on any material cybersecurity issues or changes to the program.
- Greater expectations of the Board of Directors to stay briefed on cybersecurity matters.
Section 500.5 (Vulnerability Management) Key Changes:
- Clear and comprehensive policies and procedures regarding vulnerability management.
- Internal and external penetration testing.
- Automated vulnerability scans at a frequency determined by your risk assessment.
- Expectation to stay informed of new security vulnerabilities.
- Timely remediation of vulnerabilities based on risk.
Section 500.7 (Access Privileges and Management) Key Changes:
- Strict enforcement and limitations of privileged accounts and their function.
- Limitation on the use of privileged accounts to only when performing functions requiring the use of such access.
- Periodically, but at a minimum annually, review of all user access privileges and removal or disabling of accounts and access that are no longer necessary.
- Disabling or secure configuration of all protocols that permit remote control of devices.
- Prompt termination of access following departures.
- Expectations for a written password policy.
- Class A Companies shall implement a solution to monitor privileges access activity.
- Class A Companies shall implement an automated method of blocking commonly used passwords for all accounts on information systems owned or controlled by the Class A Company and wherever feasible for all other accounts.
Section 500.9 (Risk Assessment) Key Changes:
- Updated definition of risk assessment:
- Process of identifying, estimating, and prioritizing cybersecurity risks to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, customers, consumers, other organizations, and critical infrastructure resulting from the operation of an information system.
- Risk assessments incorporate threat and vulnerability analyses and consider mitigations provided by security controls planned or in place.
- Risk assessment must be updated at a minimum annually, and whenever a change in the business or technology causes a material change to the covered entity’s cyber risk.
Section 500.12 (Multi-factor Authentication) Key Changes:
- Multi-factor authentication shall be utilized for any individual accessing any information systems of a covered entity.
- Even if a covered entity is exempt from this part under section 500.19(a), there are still expectations to implement multi-factor authentication in the following instances:
- Remote access to the covered entity’s information systems.
- Remote access to third-party applications, including but not limited to those that are cloud-based, from which nonpublic information is accessible.
- All privileged accounts other than service accounts that prohibit interactive login.
Section 500.13 (Asset Inventory) Key Changes:
- Expectations for written policies and procedures designed to produce and maintain a complete, accurate, and documented asset inventory of the covered entity’s information systems.
- A documented and maintained asset inventory shall include:
- Owner
- Location
- Classification or sensitivity
- Support expiration date
- Recovery time objectives
- The frequency required to update and validate the covered entity’s asset inventory.
Section 500.14 (Monitoring and Training) Key Changes:
- Implement risk-based controls designed to protect against malicious code, including those that monitor and filter web traffic and electronic mail to block malicious content.
- Annual cybersecurity awareness training.
- Social engineering (phishing) tests.
- Class A Companies shall implement an endpoint detection and response solution to monitor anomalous activity, including but not limited to lateral movement and a solution that centralizes logging and security event alerting.
Section 500.15 (Encryption) Key Changes:
- Clear and comprehensive policies and procedures regarding encryption.
- The feasibility of encryption and effectiveness of the compensating controls shall be reviewed by the CISO at least annually.
Section 500.16 (Incident Response and Business Continuity Management) Key Changes:
- Develop written incident response plans that include, among other things:
- Goals
- Internal processes for response
- Root cause analysis for any incident
- Develop written business continuity and disaster recovery plans that shall, at a minimum:
- Identify documents, data, facilities, infrastructure, services, personnel, and competencies essential to the continued operations of the covered entity’s business.
- Identify the supervisory personnel responsible for implementing each aspect of the Business Continuity/Disaster Recovery (BCDR) plan.
- Include a plan to communicate with essential persons in the event of a cybersecurity-related disruption to the operations of the covered entity, including employees, counterparties, regulatory authorities, third-party service providers, disaster recovery specialists, the senior governing body, and any other persons essential to the recovery of documentation and data and the resumption of operations.
- Include procedures for the timely recovery of critical data and information systems and to resume operations as soon as reasonably possible following a cybersecurity-related disruption to normal business activities.
- Include procedures for backing up or copying, with sufficient frequency, information essential to the operations of the covered entity and storing such information offsite.
- Identify third parties that are necessary to the continued operations of the covered entity’s information systems.
- Ensure that copies of plans are distributed and or are otherwise accessible to all employees.
- Provide relevant training to all employees responsible for implementing the plans regarding their roles and responsibilities.
- Conduct tests of both the Incident Response and BCDR Plans
- Conduct data restoration from backup tests.
- Expectations to maintain backups and adequately protect those backups.
Section 500.17 (Notice) Key Changes:
- Seventy-two (72)-hour notification to NYSDFS in the event of a third-party cybersecurity incident.
- Ongoing communication and cooperation with NYSDFS for any reported cybersecurity incident.
- For certification of compliance, maintain relevant documentation to support your attestation of compliance.
- Provide a written acknowledgement if the covered entity did not materially comply with all requirements of the regulation. The acknowledgement must:
- Identify all sections of this Part that the entity has not materially complied with and describes the nature and extent of such noncompliance.
- Provide a remediation timeline or confirmation that remediation has been completed.
- Notice of compliance (or non-compliance) to NYSDFS shall be signed by the CISO (or, if a CISO does not exist within the covered entity, the highest-ranking executive).
- Reporting requirements for extortion payments and ransomware events
- Within 24 hours of the extortion payment, notice of the payment.
- Within 30 days of the extortion payment, a written description of the reasons payment was necessary, a description of alternatives to payment considered, all diligence performed to find alternatives to payment and all diligence performed to ensure compliance with applicable rules and regulations including those of the Office of Foreign Assets Control.
Section 500.19 (Exemptions and Applicability):
With these changes, many want to know, “Does this apply to my company?” Let’s break down the different types of Covered Entities, and what parts of the regulation they will have to comply with.
- Tier 1 – Class A Companies (previously defined above)
- Must comply will all parts and Class A-specific requirements outlined above.
- Tier 2 – Covered Entities with:
- Gross annual revenue roughly between $7,500,000 and $20,000,000 in each of the last three fiscal years from all business operations of the covered entity and the business operations in New York State of the covered entity’s affiliates; or year-end total assets exceeding $15,000,000.
- Must comply with all requirements of the part defined above, except for the Class A specific requirements.
- Tier 3 –Covered Entities with:
- Fewer than 20 employees and independent contractors of the covered entity and its affiliates.
- Less than $7,500,000 in gross annual revenue in each of the last three fiscal years from all business operations of the covered entity and the business operations in this State of the covered entity’s affiliates.
- Year-end total assets less than $15,000,000.
- Covered entities in this tier are considered “limited exemptions” and are exempt from many requirements. However, they still need to comply with the following requirements as outlined above:
- 02 (Implement a Cybersecurity Program)
- 03 (Cyber Policies and Procedures)
- 07 (Access Privileges and Management)
- 09 (Risk Assessment)
- 11 (Third Party Requirements)
- 12 (Multi-Factor Authentication)
- 13 (Asset Inventory)
- 17 (Notices)
- Tier 4 – Covered Entities that:
- Do not directly or indirectly operate, maintain, utilize, or control any information systems, and that do not, and are not required to, directly or indirectly control, own, access, generate, receive, or possess nonpublic information and are exempt from many requirements. However, they still need to comply with the following requirements as outlined above:
- 09 (Risk Assessment)
- 11 (Third Party Requirements)
- 13 (Asset Inventory)
- 17 (Notices)
- Do not directly or indirectly operate, maintain, utilize, or control any information systems, and that do not, and are not required to, directly or indirectly control, own, access, generate, receive, or possess nonpublic information and are exempt from many requirements. However, they still need to comply with the following requirements as outlined above:
Compliance Dates
NYSDFS has proposed several compliance dates, all based off the new regulation’s effective date of November 1, 2023. Most changes will take effect in 180 days (Monday, April 29, 2024). There are several other compliance dates that include different transition periods where covered entities will have:
- Thirty (30) days from the effective date to comply with the new requirements specified in section 500.17.
- One year from the effective date of the second amendment to comply with the new requirements specified in sections 500.4 (CISO), 500.15 (Encryption), 500.16 (IRP and BCDR Plans), and 500.19(a) (Exemptions).
- Eighteen (18) months from the effective date of the second amendment to comply with the new requirements specified in sections 500.5(a)(2) (automated scans), 500.7 (risk assessment), and 500.14(b) (endpoint detection for Class A Companies).
- Two years from the effective date of the second amendment to comply with the new requirements specified in sections 500.12 (MFA) and 500.13(a) (Asset Inventory).
Conclusion
The amended regulation significantly raises the bar for cybersecurity in the financial sector, likely influencing similar regulations in other states and potentially at a federal level. While it enhances consumer data protection, it also poses challenges for companies in terms of compliance. Ensuring adherence to these more stringent requirements might demand increased investments in technology and manpower.
Please do not hesitate to reach out with any questions. FoxPointe Solutions is equipped to assist your organization in complying with the new requirements.