Last week, the New York Department of Financial Services (NYDFS) published an updated proposed second amendment to the state’s cybersecurity regulation (23 NYCRR 500). On November 9, 2022, NYDFS published the first draft of the proposed Amendment and received comments over a 60-day period. The proposed second Amendment addresses NYDFS revisions in response to comments received on the first draft of the proposed Amendment.
The NYDFS’ cybersecurity regulation imposes a series of cybersecurity requirements for banks, insurance companies and other financial services institutions. Some of the changes proposed to the NYDFS cybersecurity regulation under the second Amendment include:
- Updated definitions. NYDFS cybersecurity regulations define a “Class A Company” as a covered entity with at least $20 million in gross annual revenue in each of the last two fiscal years from business operations of the entity and its affiliates in NY and: (1) over 2,000 employees averaged over the last two fiscal years across both the entity and its affiliates; or (2) over $1,000,000,000 in gross annual revenue in each of the last two fiscal years from all business operations of the entity and its affiliates. The proposed second Amendment clarifies that, when calculating the number of employees and gross annual revenue to qualify as “Class A Company," affiliates only include “those that share information systems, cybersecurity resources or all or any part of a cybersecurity program with the covered entity.” The proposed second Amendment also narrowed the definition of a “privileged account” by applying the requirement to any authorized user account or service account not only those accounts that affect a material change to the technical or business operations of the covered entity. The “senior governing body” definition was also updated to clarify that for “any cybersecurity program or part of a cybersecurity program adopted from an affiliate under section 500.2(d) of this Part, the senior governing body may be that of the affiliate.”
- Cybersecurity event notification. The NYDFS cybersecurity regulation requires covered entities to notify NYDFS within 72 hours after determining that a cybersecurity event has occurred at a covered entity, its affiliates or a third-party service provider. The initial proposed Amendment required the covered entities to provide information requested by the NYDFS superintendent within 90 days of submitting the covered entities cybersecurity event notice. The proposed second Amendment removes the 90 day requirement, and instead requires that “[e]ach covered entity shall promptly provide any information requested regarding such event. Covered entities shall have a continuing obligation to update and supplement the information provided.” Additionally, the covered entities must maintain all records, schedules, and supporting data and documentation for potential inspection by the NYDFS.
- Compliance certification. Companies are required to annually certify their compliance with the NYDFS cybersecurity regulation for the prior calendar year. The proposed second Amendment reduces the scope of this requirement by only requiring that companies provide certification of material compliance.
- New exemption. The proposed second amendment now provides an exemption for “[a]n employee, agent, wholly-owned subsidiary, representative or designee of a covered entity, who is itself a covered entity, is exempt from this Part and need not develop its own cybersecurity program to the extent that the employee, agent, wholly-owned subsidiary, representative or designee is covered by the cybersecurity program of the covered entity.”
- Additional modifications. The proposed second Amendment extends the requirements of proposed multi-factor authentication (MFA” by now requiring MFA for any access to the entity’s systems unless a limited exception applies or the covered entity’s Chief Information Security Officer approves the use of reasonably equivalent or more secure compensating controls. The proposed second Amendment also deleted the requirement for Class A companies to use external experts to conduct risk assessments at least once every three years. Additionally, under the proposed second Amendment, the incident response plan (IRP) and business continuity and disaster recovery plan need to be tested annually with critical staff and senior leadership. When developing the IRP, the second proposed Amendment mandates that the IRP must include a root cause analysis detailing how/why the event occurred, the business impact and how actions taken to avoid reoccurrence. The second proposed Amendment also clarifies that the purpose of Senior Governing Bodies is to provide oversight of the covered entities cybersecurity risk management and that members of the Senior Governing Body are only required to “have sufficient understanding of cybersecurity-related matters to exercise such oversight, which may include the use of advisors.”
- Updated compliance timelines. The initial proposed Amendment required covered entities to comply with the majority of the new requirements within 180 days of the Amendment’s effective date, while compliance with other requirements is subject to transition periods ranging from one to two years. Under the proposed second Amendment, a number of new requirements would be subject to the longer compliance period. For example, covered entities will have two years from the Amendment’s effective date to implement written policies and procedures designed to ensure a complete, accurate and documented asset inventory of the covered entity’s information systems.
Comments on the proposed second Amendment are due Monday, August 14, 2023 at 5pm. Written comments may be submitted by email to cyberamendment@dfs.ny.gov or by mail to the New York State Department of Financial Services c/o Cybersecurity Division, Attn: Joanne Berman, 1 State Street Plaza, Floor 19, New York, NY, 10004.