Introducing a new category of “class A” companies that are subject to more stringent compliance requirements
A class A company consists of a covered entity—defined under section 500.1(e) of the amended cybersecurity requirements as “any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law, regardless of whether the covered entity is also regulated by other government agencies”—with at least $20 million in gross annual revenue in each of the last two fiscal years from all of its business operations and that either (a) has employed over 2,000 employees averaged over the last two fiscal years or (b) has over $1 billion in gross annual revenue in each of the last two fiscal years from all of its business operations. See Amended Cybersecurity Requirements § 500.1(d).
In addition to all requirements applicable to covered entities under the amendment generally, a class A company is further required to
- design and conduct independent audits of its cybersecurity program based on its risk assessment (see id. § 500.2(c));
- monitor privileged access activity by implementing certain access controls, such as a privileged access management solution and imposing password complexity requirements (see id. § 500.7(c)); and
- implement an endpoint detection and response solution to monitor anomalous activity, and use a centralized solution for system logging and security event alerts (see id. § 500.14(b)).
Designation of a “senior governing body” to oversee cybersecurity
Although covered entities were already required to ensure that the board or a senior officer or officers oversaw their cybersecurity compliance, the amendment adopts a new term, “senior governing body,” for the person or persons responsible for exercising that oversight. See id. § 500.1(q).
It also delineated the senior governing body’s responsibilities, which include the following:
- having a sufficient understanding of cybersecurity-related matters to exercise the required oversight, which may include the assistance of advisors;
- requiring management to develop, implement, and maintain the covered entity’s cybersecurity program;
- regularly receiving and reviewing management reports about cybersecurity matters;
- approving, at least annually, the entity’s written cybersecurity policies; and
- confirming that management has allocated sufficient resources to implement and maintain an effective cybersecurity program, in light of the risks to the covered entity. See id. § 500.4(d).
Increased reporting requirements for chief information security officers
The chief information security officer (CISO) of a covered entity is now required to timely report to the senior governing body or senior officer or officers on material cybersecurity issues, such as significant cybersecurity events and significant changes to the covered entity’s cybersecurity program. See id. § 500.2(d).
The CISO is required to sign, along with the highest-ranking executive of the covered entity, an annual certification that the covered entity has materially complied with the amended cybersecurity requirements during the prior calendar year. See id. §500.17(b)(2). Alternatively, and as appropriate, the CISO and the highest-ranking executive must sign a written acknowledgement that the entity did not materially comply with the requirements and must provide a description of the nature of the noncompliance.
Expanded requirements for cybersecurity defense and vulnerability management mechanisms
- The existing requirement for penetration testing now includes assessments “from both inside and outside the information systems’ boundaries by a qualified internal or external independent party at least annually.” See id. § 500.5(a)(1).
- There is a new requirement to conduct automated scans of information systems and a manual review of systems not covered by such scans to discover, analyze, and report vulnerabilities at a frequency to be determined in the entity’s risk assessment. See id.
- There is a new requirement to have a monitoring process in place to be promptly informed of new security vulnerabilities and to timely remediate such vulnerabilities giving priority based on the risk they pose to the covered entity. See id. § 500.5(b)–(c).
- There are various new limitations on user access privileges, including limiting user access to nonpublic information and privileged accounts to only those necessary to perform the user’s job, annually reviewing all user access privileges, terminating accounts when they are no longer necessary, promptly terminating access following user departures, and disabling or securely configuring all protocols that permit remote control of devices. See id. § 500.7(a).
- There is a new requirement to implement a written password policy that meets industry standards, to the extent passwords are used for authentication. See id. § 500.7(b).
- There is an updated requirement to using multi-factor authentication for any individual accessing any information systems of a covered entity, subject to certain limited exemptions. See id. § 500.12.
Additional requirements to implement robust written policies and procedures to produce and maintain an asset inventory of information systems
At a minimum, such written policies and procedures must include (i) a method to track key information for each asset (such as owner, location, classification or sensitivity, support expiration date, and recovery time objectives) and (ii) the frequency required to update and validate the asset inventory. See id. § 500.13(a).
New requirements to implement cybersecurity plans containing proactive measures to investigate and mitigate cybersecurity events and to ensure operational resilience
- A covered entity is required to establish an incident response plan that addresses, at a minimum, its internal processes for responding to a cybersecurity event, recovery from backups, and preparation of a root cause analysis that describes how and why the event occurred, its business impact, and measures to prevent reoccurrence. See id. § 500.16(a)(1).
- A covered entity is also required to establish a business continuity and disaster recovery plan that ensures the availability and functionality of its information systems and material services and protects its personnel, assets, and nonpublic information in the event of a cybersecurity-related disruption to its normal business activities. The new requirements set forth specific elements that should be addressed in this plan, including, among other items, identifying the documents, data, infrastructure, and personnel that are essential to the covered entity’s continued operations; setting out a communication plan with essential persons; setting out procedures for backing up essential information and timely recovery of critical data; and identifying third parties necessary to the covered entity’s continued operations. See id. § 500.16(a)(2).
- A covered entity is required to train, and annually test, employees on such plans. See id. § 500.16(c)–(d).
Enhanced reporting obligations, with an expanded scope of events to be reported and scope of information to be included in the reports
The existing cybersecurity requirements require a covered entity to report a cybersecurity incident to the NYDFS superintendent within 72 hours after determining a cybersecurity incident has occurred. The amendment expands on this reporting obligation by clarifying that (i) the reporting obligation is triggered if the cybersecurity incident has occurred at the covered entity, its affiliates, or a third-party service provider; (ii) the report must be submitted electronically (in the form on the NYDFS’s website); and (iii) a covered entity is required to provide to the NYDFS superintendent any information requested regarding such incidents. The amendment also clarifies that covered entities must update the NYDFS superintendent if there are material changes to the information they have reported or if information they are required to report subsequently becomes available. See id. § 500.17(a).
A covered entity is also required to notify the NYDFS of extortion payments made in connection with a cybersecurity event within 24 hours of the payment and, within 30 days of the payment, provide a written description of the reasons the payment was necessary. See id. § 500.17(c).
Reinforced enforcement authority
The NYDFS clarified that “[t]he commission of a single act prohibited by this Part or the failure to act to satisfy an obligation required by this Part shall constitute a violation hereof.” See id. § 500.20(b).
Among such acts or failures is “the failure to secure or prevent unauthorized access to an individual’s or an entity’s nonpublic information due to noncompliance with any section of this Part.” See id. § 500.20(b)(1).
In response to certain public comments from industry participants and other interested parties, the NYDFS clarified that this determination is not subject to a materiality threshold. Rather, a covered entity that has failed to secure or prevent unauthorized access to nonpublic information because it is not in compliance with the amended cybersecurity requirements is in violation of the amended cybersecurity requirements.
If the impact of the violation is immaterial, that would be considered when assessing penalties and how a potential enforcement action might be viewed by the NYDFS. See NYDFS, Assessment of Public Comments on the Revised Proposed Second Amendment to 23 NYCRR Part 500 at 37.
A violation also arises from “the material failure to comply for any 24-hour period with any section of [the amended cybersecurity requirements].” See Amended Cybersecurity Requirements § 500.20(b)(2). The NYDFS clarified in response to the public comments that such 24-hour period for material compliance does not begin when the covered entity becomes aware of a material failure; rather, it begins when the material failure has occurred. See NYDFS, Assessment of Public Comments on the Revised Proposed Second Amendment to 23 NYCRR Part 500 at 38.
In assessing penalties for a violation of the amended cybersecurity requirements, the NYDFS superintendent will take into account numerous factors, including the covered entity’s cooperation with the superintendent; the covered entity’s good faith; whether the violation resulted from unintentional conduct and not reckless or deliberate conduct; any history of prior violations; the extent of harm to consumers; whether timely disclosures were made to affected consumers; the financial resources, net worth, and annual business volume of the covered entity and its affiliates; and such other matters as justice and the public interest require. See Amended Cybersecurity Requirements § 500.20(c).
The amendment represents a significant overhaul of the cybersecurity regulatory landscape that carries implications for NYDFS-regulated financial institutions, particularly in light of the NYDFS’s clarified authority to bring enforcement actions for even a single violation of the amended cybersecurity requirements. Covered entities should assess their cybersecurity infrastructure to ensure compliance with the updated regulations by April 29, 2024 (or, in the case of certain reporting obligations, by December 1, 2023). Among other things, covered entities should consider whether to increase their investments and corporate budget to design and implement cybersecurity programs that allow for compliance with the new requirements imposed by the amendment, and enforce and monitor such compliance not only within the covered entity but also among the covered entity’s vendors who store or process data on the covered entity’s behalf or who otherwise have access to the covered entity’s data or networks. It is critical for financial institutions to review the impacts of the amendment on their respective institutions as soon as possible in order to take proactive measures to ensure compliance with the amended cybersecurity requirements.