As we reported in a previous blog post, the New York Department of Financial Services (“NYDFS”) proposed a raft of amendments to its landmark Cybersecurity Regulations (the “Regulations”) in 2022 (the “2022 Proposed Amendment”), adding substantial complexity to covered entities’ compliance obligations. Now, less than a year later, the NYDFS has published a proposed revised draft of the 2022 Proposed Amendment (as revised, the “2023 Proposed Amendment”). While not as extensive as the 2022 Proposed Amendment, the 2023 Proposed Amendment will nevertheless have a significant impact on how your organization complies with the Regulations.
Definition of Class A Companies
The 2022 Proposed Amendment established a definition of “Class A Companies” that would include the largest Covered Entities (i.e., those with more than 2,000 employees averaged across the last 2 fiscal years, including the Covered Entity and affiliates, and those with more than $1,000,000,000 in gross annual revenue over the last two fiscal years between the entity and affiliates). The 2023 Proposed Amendment clarifies that only affiliates that share information systems, cybersecurity resources or elements of a cybersecurity program will be considered “affiliates” for purposes of the definition of “Class A Companies.” How impactful this clarification will prove to be will depend on how broadly or narrowly the NYDFS interprets “cybersecurity resources” and “elements of a cybersecurity program.”
Responsibilities of Senior Governing Bodies
The 2022 Proposed Amendment required the Senior Governing Body of a Covered Entity to “have sufficient expertise and knowledge, or be advised by persons with sufficient expertise and knowledge, to exercise effective oversight of cybersecurity risk management.” The 2023 Proposed Amendment loosens these requirements and clarifies that Senior Governing Bodies must “have sufficient understanding to exercise [effective] oversight” of the Covered Entity’s cybersecurity program.
Authentication Procedures
The 2023 Proposed Amendment makes clear that multi-factor authentication (“MFA”) is required for any type of access (internal or remote) to any Covered Entity information system or other systems housing nonpublic information (for example, third-party applications), unless the CISO has granted written approval of an alternative authentication method that is reasonably equivalent to or more secure than MFA. The current Regulations only require the use of MFA or such alternative method for remote access to Covered Entities’ information systems. If adopted, the 2023 Proposed Amendment would require small businesses qualifying for a limited exception to implement MFA for remote access to the Covered Entity’s information systems, remote access to third party applications hosting nonpublic information, and privileged accounts (rather than for all access to nonpublic information or the Covered Entity’s information systems).
Independent Audits for Class A Companies
The 2022 Proposed Amendment required Class A companies to use external experts to conduct annual independent cybersecurity audits. This language has been modified in the 2023 Proposed Amendment, which now clarifies that Class A companies may use internal or external experts to conduct such audits.
Additional Incident Response Plan Requirement
The Regulations currently require Covered Entities to create an incident response plan (“IRP”) that includes all aspects of the traditional incident response lifecycle: i.e., preparation, detection, analysis, containment, eradication, recovery, and post-event evaluation activities, including making appropriate adjustments to the IRP based on “lessons learned.” In addition to these requirements, the 2023 Proposed Amendment adds the requirement that covered entities “prepare [a] root cause analysis that describes how and why the event occurred, what business impact it had, and what will be done to prevent reoccurrence.”
Business Continuity and Disaster Recovery Plan Testing
The 2023 Proposed Amendment specifies that Covered Entities must test their business continuity and disaster recovery plans annually “with all staff critical to the response, including senior officers and the highest-ranking executive of the covered entity[.]”
Takeaways
The public comment period for the 2023 Proposed Amendment closes on August 14, 2023. Assuming the 2023 Proposed Amendment is finalized in its current form, Covered Entities will be required to make significant changes to their security programs to ensure compliance with the new requirements. As we pointed out in our previous post, the NYDFS is placing increasing importance on risk assessments, Board of Directors and leadership oversight of cybersecurity programs, audits, testing, and monitoring, and documented policies and procedures. Though the Regulations only apply to financial institutions operating in New York, the controls outlined in the Regulations are similar to those in common cybersecurity frameworks (like NIST Cybersecurity Framework or the Center for Internet Security Critical Security Controls). Moreover, regulators like the FTC and SEC have signaled that controls like those in the Regulations are expected elements of a robust cybersecurity program. Accordingly, the Regulations can be viewed by non-covered entities as a benchmark by which to evaluate their cybersecurity programs.
Additionally, the Regulations underscore the increasing imperative to make cybersecurity a whole-enterprise function, requiring the participation of various business stakeholders. Importantly, legal determination of the appropriateness of controls implemented will be crucial for Covered Entities, in addition to technical assessment and implementation and oversight by company leadership. Crucially, technical, legal, and business stakeholder involvement in routine, proactive cybersecurity assessments benchmarked against an applicable regulation (like the Regulations) or a commonly-accepted cybersecurity framework is essential to identifying, prioritizing, and remediating gaps in organizations’ security controls. We recommend that organizations undertake such assessments at the direction of outside counsel, where possible, to help ensure compliance with applicable legal and regulatory obligations and to protect assessment findings with attorney-client privilege. Coupled with active threat intelligence monitoring and vulnerability management program, such activities ensure that organizations are well-positioned to meet evolving cybersecurity threats.