NYDFS Proposes Amendments That Expand Board and Management Responsibility For Cyber Breaches
On November 9, 2022, the New York Department of Financial Services (“NYDFS”) Cybersecurity Resource Center announced that it was proposing a second amendment[1] to 23 NYCRR Part 500[2], the NYDFS Cybersecurity Requirements for Financial Services Companies (the “Act”) that would expand the responsibilities and corresponding liabilities for officers and directors of a financial services company with regard to the organization’s cyber security.
The Act was originally enacted to address the “ever-growing threat posed to information and financial systems by nation-states, terrorist organizations and independent criminal actors.” It appears the predominant concern of the NYDFS at the time of enactment was the implementation of cybersecurity programs across all organizations as the closing paragraph of Section 500.000 states: “[i]t is critical for all regulated institutions that have not yet done so to move swiftly and urgently to adopt a cybersecurity program and for all regulated entities to be subject to minimum standards with respect to their programs.”
These amendments reflect a continuance of the Act’s original objectives. The most significant changes under the second proposed amendment are as follows.
Section 500.02 – Cybersecurity Program
Under the Act, an organization’s cybersecurity program is required to “protect the confidentiality, integrity and availability” of the organization’s information systems. The amendments require that “nonpublic information that is stored on their information systems” also receive these same protections.
Additionally, Class A companies would be required to conduct an independent audit of their program on an annual basis.
Section 500.03 – Cybersecurity Policy
Under the amendments, the “senior governing body” will be the appropriate persons to approve the organization’s written cybersecurity policies, as opposed to the organization’s “senior officer” or “board of directors.” Additionally, this approval must be done on at least an annual basis and would form the basis of the procedures that an organization is required to develop, document, and implement under the amendments.
Section 500.04 – Chief Information Security Officer
The qualification requirements for a chief information security officer (“CISO”) who is responsible, under the Act, for overseeing and implementing the organization’s cybersecurity program by requiring that the CISO would be expanded by the amendments to require the CISO to “have adequate authority to ensure cybersecurity risks are appropriately managed, including the ability to direct sufficient resources to implement and maintain a cybersecurity program.”
In addition to other responsibilities under the Act, the CISO would be required to report to the senior governing body regarding “material cybersecurity issues, such as updates to the covered entity’s risk assessment or major cybersecurity events.”
Additionally, an organization’s board of directors, or an equivalent committee, would be required to:
“(1) exercise oversight of, and provide direction to management on, the covered entity’s cybersecurity risk management;
(2) require the covered entity’s executive management or its delegates to develop, implement and maintain the covered entity’s cybersecurity program; and
(3) have sufficient expertise and knowledge, or be advised by persons with sufficient expertise and knowledge, to exercise effective oversight of cybersecurity risk management.”
Section 500.05 – Penetration Testing and Vulnerability Assessments
This section of the Act would be renamed “Vulnerability management” and the responsibilities would be amended to require more consistent monitoring practices, response capabilities and responsibilities, and reporting requirements to the senior governing body or senior management.
Section 500.07 – Access Privileges
Pursuant to an organization’s cybersecurity program, an organization would be required to limit user access to information systems and accessible functions within those systems to only the levels that are required by the user to perform their job. This is a narrower limitation than originally outlined in the Act, and this more limited access is further limited by a requirement that access be reviewed annually, securely maintained, and “promptly” terminated following the user’s departure.
Organizations that maintain passwords as a method of authentication will be required to implement “a written password policy that meets industry standards.” Further, Class A companies would be required to monitor privileged access in accordance with a “privileged access management solution” and employ a system that automatically blocks commonly used passwords for their account access.
Section 500.09 – Risk Assessment
Organizations would be required to review and update their risk assessment on an annual basis, or “whenever a change in the business or technology causes a material change to the covered entity’s cyber risk.”
Class A companies would be required to submit their risk assessments to external experts for review and approval at least once every three years.
Section 500.12 – Multi-Factor Authentication
Multifactor authentication would be required for remote access to the organization’s information systems and third party applications, as well as all privileged accounts, unless the organization’s CISO has approved written policies that provide equivalent security and controls to these points of access.
Section 500.14 – Training and Monitoring
In addition to other controls required to be implemented under the Act, an organization must establish controls that “protect against malicious code, including those that monitor and filter web traffic and electronic mail to block malicious content.”
Class A companies would also be required to implement endpoint detection and response solution to monitors and alerts the organization to any unusual activity.
Section 500.16 – Incident Response Plan
An organization’s incident response plan would be required to include a business continuity and disaster recovery plan that complies with the amendment’s proposed specifications and is “reasonably designed to ensure the availability and functionality of the covered entity’s services and protect the covered entity’s personnel, assets and nonpublic information.”
Organizations would be required to distribute copies of the plan, test the plan on an annual basis, and train all employees responsible for implementing or carrying out the plan. Organizations would also be required to maintain backups that are “adequately protected from unauthorized alterations or destruction.”
Section 500.17 – Notices to Superintendent
Organizations would be required to notify the superintendent, as defined under the Act, of a cybersecurity event within the organization within 90 days of the occurrence of the event and within 72 hours following an event occurring within a third party service provider.
Additionally, organizations would be required to notify the superintendent within 24 hours of any extortion payment made in connection with a cybersecurity event and should provide a written description as to why issuance of this payment was necessary within 90 days.
Section 500.20 – Enforcement
Penalties issued pursuant to the Act would continue to be assessed by the superintendent. However, the amendments enumerate several factors that the superintendent can consider during his determination, such as the organization’s previous cooperation with the superintendent in investigating any violating activity, the good faith of the entity, the organization’s prior history of violations.
Section 500.22 – Transitional Period
If adopted, organizations would have “180 days from the effective date of the second amendment to this Part to comply with the new requirements,” except for certain sections of the amendments, which would have different transition periods.
Newly Added: Section 500.24 – Exemptions from electronic filing and submission requirements
The amendments would add Section 500.24 to the Act, which outlines certain exemptions from filing and submission requirements and instructs covered entities on how to apply for this exempted treatment.
The 60-day comment period began on November 9, 2022. Comments must be received by 5 pm EST on Monday, January 9, 2023. Submission can be made by emailing cyberamendment@dfs.ny.gov or mail to New York State Department of Financial Services c/o Cybersecurity Division, Attn: Joanne Berman, One State Street, Floor 19, New York, NY, 10004.