On July 29th, 2022, The New York State Department of Financial Services (NY DFS) published pre-proposal amendments to their landmark Cybersecurity Regulation, 23 NYCRR 500. The “DFS Cyber reg” as it’s often referred to, was a first-in-the-nation when it was published in 2017 and has since been a model that’s been used in countless other regulations.
As much as there’s some disagreeable points in this reg, you can’t argue with the fact that it has and continues to raise the bar of Cybersecurity for the financial services industry. The proposed amendments are clearly designed to do the same, made evident by the fact that nearly every section has new or amended requirements.
Although it’s early on in the process, if only a small portion of the amendments make it to the final version, this updated regulation will no doubt impose significant new requirements on covered entities. This blog post is going to describe each of the changes, new requirements and definitions so you can begin to prepare and plan for what is inevitably to come.
According to the NY DFS, comments will be accepted through the NY DFS website until Monday August 8th. The NY DFS Executive Deputy Superintendent also stated on LinkedIn that, “This will not be the only opportunity to comment, as there will also be a full 60-day notice and comment period before the amendments are final.”
You can read the amendments in all its glory here: https://dfs.ny.gov/system/files/documents/2022/07/pre_proposed_draft_23nycrr500_amd2.pdf. When reading the amendments (linked above) keep in mind that additions are marked with underscores and items that are planned to be removed are marked in brackets.
Due to changes in the definition of “covered entity” there could be organizations that have to comply with the cyber reg that have not previously had to. The part highlighted below is new.
Covered entity means any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law, including entities that are also regulated by other government agencies.
Covered entities that meet the following are excluded from the requirements of sections: 500.4, 500.5, 500.6, 500.8, 500.10, 500.12, 500.14, 500.15 and 500.16.
Fewer than 20 employees (up from 10) and includes employees, employees and independent contractors of the covered entities affiliates whose work is located in New York, and employees and independent contractors of the covered entities affiliates who are responsible for the business of the covered entity regardless of their location
Less than $15,000,000 in year-end total assets
Also newly exempt categories of companies are:
Reciprocal jurisdiction reinsurer that has been recognized pursuant to 11 NYCRR Part 125
Individual insurance agents who are deemed to be inactive under Insurance Law section 2103
Individual licensees placed in inactive status under Banking Law section 599-i
Covered entities have 180 days from the effective date to comply with the new requirements, with several requirements having different transitional periods. Those are:
500.17 – 30 days from the effective date to comply
500.7(b), 500.12(c) and 500.14(b) – 1 year from the effective date to comply
Violations & Penalties
Section 500.20 is essentially all new and it describes what constitutes a violation of the regulation and how penalties for violations will be determined.
Violation – The commission of a single act prohibited by the reg or failure to act to satisfy an obligation of the reg. This includes failure to secure or prevent unauthorized access to nonpublic information due to non-compliance, or failure to comply with any section or subsection for any 24-hour period.
Penalties – When assessing a penalty for violation, the superintendent may take into account a wide array of information. There are 15 categories of items that may be taken into consideration such as: good faith of the covered entity, cooperation with the superintendent’s investigation, was the violation a result of a failure to remediate previously identified issues, the extent of harm to consumers, and much more.
As I stated above, nearly every section has amendments or new requirements. We’re going to step through each of the requirements and describe what’s new.
500.2 Cybersecurity Program
Independent audit – Class A companies (a new definition targeting larger organizations) are required to perform an independent audit of their cybersecurity programs at least annually, which can be done by an internal or external auditor so long as they are NOT influenced by the covered entity.
500.3 Cybersecurity policy
Cybersecurity policies – They must now be approved annually by the senior governing body, and they must now also address end of life management, remote access control, and vulnerability and patch management.
Senior governing body definition – the covered entity’s board of directors or equivalent governing body or, if neither of those exist, the senior officer of the covered entity responsible for the covered entity’s cybersecurity program.
500.4 Chief information security officer
CISO – The CISO must now have adequate independence and authority to ensure cybersecurity risks are appropriately managed.
The CISO Report – Must now be a written report and include plans for remediating inadequacies. The CISO must also timely report material cybersecurity issues, such as updates to the risk assessment or cyber events to the senior governing body.
Board of Directors – If the covered entity has a board, they (or an appropriate committee) must have knowledge and experience to oversee the cybersecurity program and they must require executive management to develop, implement and maintain the cybersecurity program.
500.5 Penetration Testing and Vulnerability Assessments
Annual penetration testing – Must now be performed by a qualified independent party
Regular vulnerability assessments – Must now be performed regularly. Class A companies must conduct scans or reviews at least weekly.
Reporting – Material gaps found in testing must be documented and reported to the senior governing body and senior management.
500.7 Access privileges and management (amended title)
User access – Must be restricted to those necessary to perform the user’s job.
Privileged accounts – (which now has a definition) Must be a limited number of them, they must be restricted to only functions needed to perform the user’s job, and they must only be used when elevated functions are required.
Privileged account definition – any authorized user or service account that can be used to: perform security-relevant functions that ordinary users are not authorized to perform or affect a material change to the technical or business operations of the covered entity.
Access reviews – Periodic review and removal of all unnecessary accounts.
Remote control protocols – Protocols that permit remote control of devices must be disabled or securely configured.
Strong passwords – The covered entity must ensure strong passwords are used.
Monitor privileged access – Class A companies must monitor privileged access activity, implement a password vaulting solution for privileged accounts, and use automated methods to block commonly used passwords.
500.8 Application Security
Documentation updates – Procedures, guidelines and standards must now be reviewed, assessed and updated at least annually.
500.9 Risk Assessment
Risk assessment – The definition is much more comprehensive than the current version of the reg. Also, the risk assessment must be updated annually or after any material change to the covered entities cyber risk. Class A companies must have a risk assessment performed by external experts at least once every three years. Lastly, the CISO must timely report changes in the risk assessment to the senior governing body (also a new definition).
Risk assessment definition – the process of identifying cybersecurity risks to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, customers, consumers, other organizations, and critical infrastructure resulting from the operation of an information system. Risk assessments shall take into account the specific circumstances of the covered entity, including but not limited to its size, staffing, governance, businesses, services, products, operations, customers, counterparties, service providers, vendors, other relations and their locations, as well as the geographies and locations of its operations and business relations. Risk assessments incorporate threat and vulnerability analyses, and consider mitigations provided by security controls planned or in place.
500.12 Multi-factor authentication
Remote access – The wording has been amended to say “Multi-factor authentication must be used for remote access to the network and enterprise and third-party applications from which nonpublic information is accessible.”
Multi-factor for priveleged accounts – MFA must now be used by all privileged accounts, except for accounts that prohibit interactive login and where the CISO has approved in writing the implementation of compensating controls that achieve a reasonably equivalent alternative.
500.13 Asset and data retention management (amended title)
Policies and procedures – the section requires written policies and procedures designed to ensure a complete, accurate, and documented asset inventory. It has to include all information systems and their components, and should also include infrastructure devices, APIs and cloud services.
The policies should at minimum address tracking key information for each asset such as: owner, location, classification or sensitivity, support expiration date, and recovery time requirements. The policies should also address the frequency required to update and validate the asset inventory.
500.14 Monitoring and training (amended title)
Email filtering – Emails must be filtered and monitored in order to to block malicious content.
Phishing – Cybersecurity awareness programs must include phishing training, exercises and simulations when appropriate.
EDR and SIEM – Class A companies must implement endpoint detection and response solution as well as centralized logging and security event alerting.
500.15 Protection of nonpublic information (amended title)
Encryption policy – An encryption policy is required that must meet industry standards.
Compensation controls – The possibility of using a compensation control has been removed for encryption in transit, however, it’s still an option for encryption at rest. The CISO must approve in writing, and it must be reviewed by the CISO at least annually.
500.16 Incident response plan
Incident plans – The incident plans must be written and contain proactive measures to mitigate disruptive events and ensure operational resilience, including but not limited to incident response, business continuity, and disaster recovery plans.
Incident Response Plan – The IR plan must now address ransomware incidents, recovering from backups and how the plan will be updated, as necessary.
Business Continuity and Disaster Recovery (BCDR) – This is an entirely new subsection and requirement in the proposed amended reg. This requirement is quite verbose, so we will save this for another blog post.
Plan dissemination, training and testing – The incident plans must be distributed to those who have responsibilities within the plans, there must be training for all relevant parties on the plans and their responsibilities. Lastly, IR and BCDR plans must be tested, as well as the ability to restore systems from backup.
Isolated backups – Covered entities must now have offline backups.
500.17 Notices to superintendent
Cybersecurity events – Notices of cybersecurity events must now be done electronically using the departments website. Two new events have been added to the list of reportable cybersecurity events: unauthorized access to a privileged account, or deployment of ransomware within a material part of the covered entity’s information system.
Compliance – Notice of compliance (certification) must be submitted electronically by April 15th. Compliance must be based on data and documentation sufficient to accurately determine and demonstrate such compliance.
Non-compliance – Notice of non-compliance (acknowledgement) must also be submitted by April 15th. It must include acknowledgement of non-compliance, the provisions that are not fully in compliance and the nature of non-compliance, and all areas, systems and processes that require material improvement, updating, or redesigning.
Sign off – The notice of compliance/non-compliance must be signed by the covered entities CEO and CISO or equivalent.
Maintenance of records – All documentation and data that supports the compliance/non-compliance notice must be preserved for the same 5 year period. In the case of non-compliance, thorough documentation must be maintained, and it must include remediation plans and a timeline of those plans.
Notice of extortion – Covered entities must now report when an extortion payment has been made in connection with a cybersecurity event. It must be reported electronically within 24 hours of the extortion payment. Within 30 days of the extortion payment a written description of the reasons, alternatives and all diligence performed must also be submitted.
Plan For Tomorrow, Today
There’s no doubt that even if a small portion of these amendments were to pass it would impose significant new requirements on covered entities cybersecurity programs. Regardless of what makes it to the final regulation, it pays to be prepared and plan ahead for what could potentially be a new requirement.