On July 29th, 2022, The New York State Department of Financial Services (NY DFS) published pre-proposal amendments to their landmark Cybersecurity Regulation, 23 NYCRR 500. The “DFS Cyber reg” as it’s often referred to was a first-in-the-nation when it was published in 2017 and has since been a model that’s been used in countless other regulations. The proposed amendments are clearly designed to do the same, made evident by the fact that nearly every section has new or amended requirements.
In this blog post we’re going to describe one of the most significant proposed amendments to the reg. That is, the NEW requirements related to ransomware, extortion and the reporting of those cybersecurity events.
Notice of Ransomware Event
The proposed amendments to Section 500.17 would incorporate two new definitions of a cybersecurity event, one of which specifically addresses ransomware. Should any of the events described in this section occur, electronic notification to the superintendent, within 72 hours, is required.
500.17 (a)(4) – cybersecurity events that resulted in the deployment of ransomware within a material part of the covered entity’s information system.
Under the current rule, reporting cases of ransomware would be required if: there is a required notice to a government body, self-regulatory agency or any other supervisory body or if there was a reasonable likelihood of materially harming any material part of the normal operation(s) of the covered entity.
Notice & Description of Extortion Payment
The proposed amendments to Section 500.17 would also incorporate a requirement to notify the superintendent of extortion payment, within 24 hours of the payment. A written description sent to the superintendent would also be required within 30 days. This written description would have to include:
A written description of the reasons payment was necessary
A description of alternatives to payment considered
All diligence performed to find alternatives to payment
All diligence performed to ensure compliance with applicable rules and regulations including those of the Office of Foreign Assets Control
Plans are nothing Planning is Everything
There’s no doubt that if these amendments were to pass it would impose significant new requirements on covered entities cybersecurity event reporting policies and procedures. If your Incident Response plan does not specifically address the companies policies and procedures for responding to and reporting ransomware events, then it would be worthwhile to begin that process now. With the impact ransomware has had the last several years, there’s little doubt that some form of ransomware notification will make it to the final regulation. The time to prepare is now.