On July 29, 2022, the New York Department of Financial Services published pre-proposal draft amendments to its Cybersecurity Regulations, 23 NYCRR 500.00, et seq., that if adopted will require covered entities to implement numerous policy and operational changes.
As explained by DFS: “Before filing a proposed regulation for publication in the State Register for a formal comment period pursuant to the New York State Administrative Procedure Act, the Department provides a draft for review and comment by interested persons and the public, including, but not limited to, small businesses and local governments.”
Comments to this pre-proposal outreach are due by Aug. 18, 2022.
A “covered entity” is defined as “any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.” The amendments add this to the end of the sentence: “including entities that are also regulated by other government agencies.”
This add-on language is imprecise. Can this be read to mean DFS is expanding coverage to entities over which only other agencies have regulatory authority? Perhaps. Can it be read to include, for example, third party debt collectors and debt buyers that are subject to DFS regulations, i.e. “regulated,” but are not “required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law”? Maybe.
If the intent is simply to clarify that persons who are covered entities are subject to the regulations regardless of whether they are additionally subject elsewhere to similar regulations, the add-on language is completely unnecessary. The current definition does not allow for such argument, and the current exemptions include no such allowance.
Cybersecurity policies must be approved at least annually by a “senior governing body,” which is defined as “the covered entity’s board of directors (or an appropriate committee thereof) or equivalent governing body or, if neither of those exist, the senior officer of the covered entity responsible for the covered entity’s cybersecurity program.”
The Chief Information Security Officer (“CISO”) provisions add that the CISO “must have adequate independence and authority to ensure cybersecurity risks are appropriately managed.” New requirements include the submission of “plans for remediating inadequacies,” and timely reporting material cybersecurity issues.
Additionally, amendments would expand responsibility by mandating that the “board or an appropriate committee of the board shall have sufficient expertise and knowledge, or be advised by persons with sufficient expertise and knowledge, to exercise effective oversight of cyber risk and a committee or subcommittee assigned responsibility for cybersecurity.”
PENETRATION TESTING AND VULNERABILITY ASSESSMENTS
The amendments would require that annual penetration testing be performed “by a qualified independent party,” and that vulnerability assessments be performed regularly, based on risk, as opposed to bi-annually.
The amendments would limit the number and use of “privileged accounts,” defined as “any authorized user account or service account that can be used to: (1) perform security-relevant functions that ordinary users are not authorized to perform, including but not limited to the ability to add, change, or remove other accounts, or make configuration changes to operating systems or applications to make them more or less secure; or (2) affect a material change to the technical or business operations of the covered entity.”
Instead of periodic review, the amendments would require at least an annual review of a covered entity’s cybersecurity procedures, guidelines, and standards.
The amendments would require multi-factor authentication for “privileged accounts,” and “for remote access to the network and enterprise and third-party applications from which nonpublic information is accessible,” removing the leeway for the CISO to alternatively approve “the use of reasonably equivalent or more secure access controls.”
The amendments include a new requirement that would require covered entities to “implement written policies and procedures designed to ensure a complete, accurate, and documented asset inventory, including, all information systems and their components such as hardware, operating systems, applications, infrastructure devices, APIs, and cloud services. The asset inventory shall be maintained in accordance with written policies and procedures.”
MONITORING AND TRAINING
In addition to the current requirements, a cybersecurity program would need to “monitor and filter emails to block malicious content from reaching authorized users,” and training would need to include “phishing training, exercises, and simulations.”
BUSINESS CONTINUITY AND DISASTER RECOVERY PLAN
In addition to the current requirement for an incident response plan, the amendments would require a business continuity and disaster recovery plan “reasonably designed to ensure the availability and functionality of the covered entity’s services and protect the covered entity’s personnel, assets, and nonpublic information in the event of an emergency or other disruption to its normal business activities.”
NOTICE OF CYBERSECURITY EVENT
In addition to the requirement to notify the Superintendent when notice of a cybersecurity event is required to another governmental or self-regulatory agency, or when the event has a likelihood of material harm, the amendments would require notice when:
- an unauthorized user has gained access to a privileged account; or
- the event resulted in the deployment of ransomware within a material part of the covered entity’s information system.
NOTICE OF NON-COMPLIANCE
Currently, a covered entity must submit an annual certification of compliance. The amendments would add the alternative to submit a written acknowledgment that:
- the covered entity was not in compliance during the preceding year;
- identifies how the covered entity was not in compliance; and
- identifies how and when the deficiencies will be remediated.
NOTICE OF EXTORTION PAYMENT
The amendments would require a covered entity to notify the Superintendent within 24 hours of any cybersecurity extortion payment, and provide within 30 days a description:
- why payment was necessary;
- alternatives to payment considered;
- diligence performed to find alternatives to payment;
- diligence performed to ensure compliance with all applicable regulations, “including those of the Office of Foreign Assets Control.”
The amendments provide that “[t]he commission of a single act prohibited by this Part or the failure to act to satisfy an obligation required by this Part shall constitute a violation hereof.” Examples include:
- the failure through noncompliance to secure or prevent unauthorized access to nonpublic information; or
- the failure to comply for any 24-hour period with any section or subsection of this Part.
Thus, apparently each day of non-compliance would constitute a separate violation. This seems unnecessary, since the factors to be taken into consideration in assessing a penalty would include “whether the violation involved an isolated incident, repeat violations, systemic violations or a pattern of violations,” and “the number of violations and the length of time over which they occurred.”
Although this is in the pre-proposal stage, the amendments deserve close consideration since they would require numerous policy and operational changes and are likely very similar to what we will see in the formal notice of proposed rulemaking to follow.