Covered financial institutions now face heightened expectations in relation to cybersecurity governance, risk assessment, and incident reporting.
The New York State Department of Financial Services’ (DFS) amendments (the Amendments) to its cybersecurity regulations, which were adopted last month with the first implementation deadline of December 1, 2023, impose new and enhanced requirements on covered entities.
On November 1, 2023, the DFS announced the Amendments to its regulations that were initially published in 2017 (23 NYCRR part 500). The changes impose more demanding requirements for larger entities, new obligations to report ransomware incidents and payments, and expanded oversight responsibilities for board and senior management. Requirements related to business continuity and disaster recovery have also been included for the first time.
Scope of the Amendments
Covered entities subject to 23 NYCRR part 500 and the Amendments are defined as any person operating or required to operate under a license, registration, charter, certificate, permit, accreditation, or similar authorization under the Banking Law, the Insurance Law, or the Financial Services Law, regardless of whether the covered entity is also regulated by other government agencies.
A cybersecurity incident is defined as one that has occurred at the covered entity, its affiliates (those that share information systems, cybersecurity resources, or any part of a cybersecurity program with the covered entity), or its third-party service providers, and that:
- impacts the covered entity and requires the covered entity to notify any government body, self-regulatory agency, or any other supervisory body;
- has a reasonable likelihood of materially harming any material part of the normal operations of the covered entity; or
- results in the deployment of ransomware within a material part of the covered entity’s information systems.
“Class A” Companies
The Amendments create a new category of covered entities — deemed “Class A” companies — with heightened cybersecurity obligations. These “Class A” companies are defined as having at least $20 million in gross annual revenue in each of the last two fiscal years from all business operations of the covered entity combined with those business operations of the covered entity’s affiliates in New York, and either have (i) more than 2,000 employees (including affiliates), or (ii) more than $1 billion in gross annual revenue in each of the last two fiscal years from all business operations of the covered entity and its affiliates.
In addition to meeting all other requirements that 23 NYCRR part 500 imposes on covered entities, a “Class A” company must:
- design and conduct independent audits of its cybersecurity program based on its risk assessment (through auditors that can be internal or external to the company but must be free to make decisions not influenced by the covered entity);
- monitor its privileged access activity and implement a privileged access management solution;
- automatically block commonly used passwords, unless the chief information security officer (CISO) annually states in writing that such blocking is infeasible and provides alternative compensating controls; and
- implement endpoint detection to monitor anomalous activity (including lateral movement), and a solution that centralizes logging and security-event alerting (unless the CISO has approved in writing the use of reasonably equivalent or more secure compensating controls).
The covered entity’s board or senior governing body is tasked with oversight, funding, and maintenance of the company’s cybersecurity risk management program. The governing body is expected to allocate “sufficient resources [for the covered entity] to implement and maintain an effective cybersecurity program,” and have “sufficient understanding of cybersecurity-related matters” to execute its oversight function, which may entail the use of advisors.
The covered entity’s CISO or equivalent officer must:
- provide additional reports annually to the covered entity’s board or senior governing body on plans for remediating material inadequacies; and
- timely report to the senior governing body or senior officer(s) regarding significant cybersecurity events and material changes to the covered entity’s cybersecurity program.
By imposing specific requirements on a banking institution’s CISO and governing body, the Amendments appear to increase management exposure to regulatory enforcement for lapses in cybersecurity oversight. Under Section 41 of the Banking Law, the DFS superintendent can remove an officer or director for violating “any law or duly enacted regulation of the superintendent” relating to a regulated banking institution. It is not clear, however, to what extent the DFS will pursue individual senior managers in the cybersecurity context rather than, as in other contexts, the entities with which they are associated.
The Amendments expressly include ransomware attacks as a cybersecurity event, which the regulations require to be reported to the DFS within 72 hours after determining that it has occurred. The Amendments also require a covered entity to report within 24 hours any extortion payment made in response to a ransomware attack. And, within 30 days of the payment, the covered entity must also provide the DFS with “a written description of the reasons payment was necessary, a description of alternatives to payment that were considered, all diligence performed to find alternatives to payment and all diligence performed to ensure compliance with applicable rules and regulations, including those of the Office of Foreign Assets Control.”
Covered entities’ incident response plans must also expressly address procedures for recovery from backups, root cause analysis, evaluation of business impact, and prevention of recurrence of incidents.
A covered entity’s CISO and highest-ranking executive must annually file a notice of compliance with the DFS. Importantly, the Amendments specify that the certification must be true not only at the time of certification but, instead, must accurately describe the covered entity’s material compliance with all DFS cybersecurity requirements throughout the prior calendar year.
Alternatively, the filing may acknowledge that the covered entity did not materially comply with all requirements, describing such areas of deficiency, and propose a plan and timeline for remediation (or confirmation of successful remediation). Covered entities must also retain for five years all documentation supporting a certification of compliance or acknowledgement of non-compliance and remedial efforts.
Access to systems containing non-public information must be limited to individuals who need such access to perform their jobs. Covered entities must also annually “review all user access privileges and remove or disable accounts and access that are no longer necessary.”
Covered entities must review and update risk assessments at least annually (rather than “as reasonably necessary”), and whenever a change in the business or technology causes a material change to the covered entity’s cyber risks.
Risk assessments should also be reviewed whenever a new business model is adopted or a new product is introduced.
The entity’s senior governing body must approve such programs annually.
The Amendments introduce a number of heightened technical controls, including:
- Multifactor Authentication: With only very limited exceptions, multifactor authentication (MFA) is now required for “any individual” accessing “any information system” of a covered entity. A covered entity’s CISO may, however, approve the use of reasonably equivalent or more secure compensating controls. Importantly, the Amendments also removed the use of text message as an approved form of MFA, noting that it is “widely considered to be a weaker from of MFA.”
- Encryption: The Amendments remove covered entities’ ability to rely on alternative compensating controls for the requirement to encrypt non-public information in transit over external networks. The DFS noted that it is “unaware of any effective alternative compensating control currently being used in the financial services sector that is comparable to encryption in transit over external networks.”
- Vulnerability Scans: Covered entities are required to conduct automated scans of their information systems, detect security vulnerabilities, and timely remediate vulnerabilities. These scans are required on top of the requirement to conduct regular penetration testing.
- Asset Inventory: Covered entities must maintain a complete asset inventory of all of their information systems that tracks the owner, location, classification or sensitivity, support expiration date, and recovery time objective for each system.
The Amendments state that the “commission of a single act prohibited by [23 NYCRR part 500] or the failure to satisfy an obligation required by [23 NYCRR part 500] shall constitute a violation hereof.” A violation may include the failure to secure or prevent unauthorized access to an individual’s or an entity’s non-public information due to non-compliance with 23 NYCRR part 500, or the material failure to comply with any requirement of 23 NYCRR part 500 for any 24-hour period.
Penalties for noncompliance may vary, and an extensive list of considerations and mitigating factors are provided.
The Amendments relax the thresholds for small-company exemptions from the requirements of 23 NYCRR part 500. The threshold number of employees has been raised from 10 to 20, gross annual revenue from $5 million to $7.5 million (in each of the last three fiscal years from all business operations and the New York business operations of its affiliates), and total assets from $10 million to $15 million (including assets of all affiliates).
The Amendments became effective on November 1, 2023. Compliance is generally required by April 29, 2024 (180 days from November 1, 2023), although the Amendments provide various dates over the next two years for compliance with specific provisions:
- By December 1, 2023, covered entities must comply with the incident reporting obligations.
- By April 15, 2024, covered entities’ CISOs and CEOs (or other highest-ranking executives) must certify compliance.
- By April 29, 2024, certified entities must comply with the amended risk assessment, cybersecurity policy, penetration testing and monitoring, training, and audit requirements.
- By November 1, 2024, covered entities must comply with obligations related to the company’s senior governing body, encryption requirements, and incident response requirements.
- By May 1, 2025, covered entities must comply with many updated technical requirements, including automated information systems scanning requirements, privileged accounts requirements, malicious code requirements, and endpoint detection solution requirements.
- By November 1, 2025, covered entities must comply with multifactor authentication and asset inventory requirements.
Even before the Amendments, the DFS’ cybersecurity regulations were considered to have been some of the most demanding and specific requirements that regulators promulgated with respect to cybersecurity. The Amendments reflect a continuation of that trend. For financial services companies operating in New York, the Amendments mean a continued focus on cybersecurity governance and response, more compliance obligations and potentially higher operational costs (particularly for “Class A” companies), and corresponding increased enforcement risk.