On July 29, 2022, the New York Department of Financial Services (“NYDFS”) posted proposed amendments (“Proposed Amendments”) to its Cybersecurity Requirements for Financial Services Companies (“Cybersecurity Regulations”). The Proposed Amendments would expand upon the set of prescriptive cybersecurity requirements applicable to all covered financial institutions, as well as impose more stringent requirements for “Class A Companies” (as defined below). There will be a brief pre-proposal comment period, followed by the official publication of the Proposed Amendments, which will trigger a new 60-day comment period. Below are the key changes introduced by the Proposed Amendments.
Class A Companies
The Proposed Amendments introduce a new category of “Class A Companies,” which consists of large financial institutions that would be subject to heightened requirements. Specifically, Class A Companies are covered financial institutions with over (1) 2,000 employees (including those of both the covered institution and its global affiliates), or (2) $1 billion in gross annual revenue averaged over the last three fiscal years from all business operations of the entity and its affiliates. Under the Proposed Amendments, Class A Companies would be subject to the following new requirements (in addition to the new requirements that would be imposed on all covered financial institutions, as described further below):
- As part of the “cybersecurity program” requirements under Section 500.2 of the Proposed Amendments, Class A Companies must undergo an independent audit of their cybersecurity program on at least an annual basis.
- As part of the “penetration testing and vulnerability assessments” requirements under Section 500.5 of the Proposed Amendments, Class A Companies must conduct systematic vulnerability scans or reviews of information systems at least weekly.
- As part of the “access privileges” requirements under Section 500.7 of the Proposed Amendments, Class A Companies must (1) ensure use of strong, unique passwords; (2) monitor privileged access activity; and (3) unless, a reasonable equivalent is approved in writing by the company’s CISO, implement both a password vaulting solution for privileged accounts and an automated method for blocking commonly used passwords.
- As part of the “risk assessment” requirements under Section 500.9 of the Proposed Amendments, Class A Companies must use external experts to conduct a risk assessment at least once every three years.
- As part of the “training and monitoring” requirements under Section 500.14 of the Proposed Amendments, unless a reasonable equivalent is approved by the CISO, Class A Companies must implement (1) an endpoint detection and response solution to monitor anomalous activity, including lateral movement; and (2) a centralized solution for logging and security event alerting.
Additional Requirements
In addition to the new heightened requirements for Class A Companies, the Proposed Amendments would impose new requirements for all covered financial institutions, including the following:
- A covered entity’s cybersecurity policies must (1) be approved at least annually by a “senior governing body” (i.e., the board of directors or equivalent governing body, or if no such body exists, a responsible senior office), rather than solely a senior office; and (2) address certain additional subjects that are not currently required by the Cybersecurity Regulations, including end-of-life management and vulnerability and patch management.
- A covered entity’s CISO must have adequate independence and authority to ensure cyber risks are appropriately managed.
- The CISO’s obligation to report to the senior governing body (e.g., board of directors) has been expanded to include plans for remediating inadequacies and timely reporting on material cybersecurity issues or major cybersecurity events.
- If a covered entity has a board of directors, the board must (1) require the covered entity’s executive management or its delegates to implement and maintain the covered entity’s cyber program; and (2) possess sufficient expertise and knowledge (or be advised by persons with such expertise or knowledge) to exercise effective oversight of cyber risk and a committee or subcommittee assigned responsibility for cybersecurity.
- Covered entities must undergo annual penetration testing by a qualified independent party, as well as regular vulnerability assessments, and material gaps found during testing must be documented and reporting to the senior governing body.
- With respect to access controls, covered entities must (1) limit the use of privileged accounts to only when performing functions requiring the use of such access; (2) periodically review all user access privileges and remove accounts and access that are no longer necessary; and (3) disable or securely configure all protocols permitting remote control of devices.
- The risk assessments required by Section 500.9 of the Proposed Amendments must (1) be conducted at least annually; (2) be tailored to the specific circumstances of the covered entity, including its size, staffing, governance, businesses, services, products, operations, customers, counterparties, service providers, vendors, other relations and their locations, as well as the geographies and locations of its operations and business relations; (3) include threat and vulnerability analyses; and (4) consider mitigations provided by existing security controls. Covered entities also must conduct an “impact assessment whenever a change in the business or technology causes a material change in the covered entity’s cyber risk.”
- A covered entity must implement multi-factor authentication for (1) remote access to the covered entity’s network and applications from which nonpublic information is accessible; and (2) all privilege accounts, except for service accounts that prohibit interactive login and for which the CISO has approved reasonably equivalent compensating controls.
- Covered entities must implement written policies and procedures designed to ensure a complete and accurate asset inventory, including policies and procedures that address (1) tracking key information for each asset (e.g., owner, location, classification or sensitivity, support expiration date, recovery time requirements); and (2) the frequency required to update and validate the asset inventory.
- A covered entity’s cyber program must include phishing training and exercises, as well as monitoring and filtering of emails to block malicious content.
- Covered entities must implement a written policy requiring industry-standard encryption to protect nonpublic information held or transmitted by the covered entity both in transit over external networks and at rest.
- A covered entity’s incident response plan, as required by Section 500.16 of the Proposed Amendments, must contain proactive measures to mitigate disruptive events (e.g., ransomware events) and ensure operational resilience.
- A covered entity must implement a business continuity and disaster recovery (“BCDR”) plan that (1) is designed to ensure the availability and functionality of the covered entity’s services, and protect the covered entity’s personnel, assets and nonpublic information in the event of an emergency or other disruption to its normal business activities; and (2) includes certain prescribed content, such as identification of data, personnel and infrastructure that are essential to continued operations, a communications plan for essential persons in the event of a disruption, and procedures for the maintenance of back-up infrastructure.
- A covered entity must (1) train relevant employees on its incident response and BCDR plans; (2) test (e.g., through tabletop exercises) its incident response and BCDR plans with all staff critical to the response; and (3) test its ability to restore its systems from backups.
- Covered entities must maintain backups that are isolated from network connections;
- In addition to notifying NYDFS within 72 hours of discovering a cybersecurity event that requires notice to any other supervisory body or has a reasonable likelihood of materially harming any material part of the covered entity’s operations, covered entities also must provide such notice for the following additional types of cybersecurity events: (1) where an unauthorized user gains access to a privileged account, or (2) ransomware is deployed within a material part of the covered entity’s information system.
- In the event of an extortion payment made in connection with a cybersecurity event, a covered entity must notify NYDFS within 24 hours of the payment and, within 30 days of the payment, provide a description of the reason(s) payment was necessary, the alternatives to payment that were considered, all diligence performed on alternatives to payment, and all diligence performed to ensure compliance with applicable rules (e.g., OFAC sanctions rules).
In addition, under the Proposed Amendments, a covered entity’s required annual certification of compliance with the Cybersecurity Regulations would need to be signed by the CEO and the CISO (or other individual responsible for the entity’s cyber program), rather than only by a senior officer. The Proposed Amendments also would allow covered entities to file, in lieu of such certification, an “acknowledgement” that the covered entity did not fully comply, along with a description of such non-compliance, and identification of all areas, systems and processes that require material improvement, updates or redesign.
The Proposed Amendments also would provide the following two clarifications with respect to potential penalties under the Cybersecurity Regulations: (1) the commission of a single act prohibited by the Cybersecurity Regulations, or the failure to satisfy an obligation required by the Cybersecurity Regulations, constitutes a violation (including “the failure to comply for any 24-hour period with any section or subsection” of the Cybersecurity Regulations); and (2) NYDFS will consider certain mitigating factors when assessing potential penalties, such as cooperation with NYDFS, good faith, whether the violation was intentional or deliberate, historical violations, whether the violation was isolated or systemic, any harm to consumers, involvement of senior management, and the gravity and number of violations. If adopted, the requirements in the Proposed Amendments would take effect in accordance with various prescribed schedules. For instance, many of the requirements would take effect 180 days from the date of adoption, while other requirements would not take effect until one year after adoption. The additional notification and certification requirements would take effect 30 days after adoption.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code