The New York State Department of Financial Services Expands Cybersecurity Rules
The New York State Department of Financial Services (NYDFS) recently finalized amendments to its 2017 regulations on cybersecurity (23 NYCRR Part 500). Updates to the regulation add strict provisions on board oversight of cybersecurity, ransomware payments, and event reporting. Covered entities – defined as “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law" – have until April 29, 2024 to become compliant with these new amendments. However, changes to the reporting requirements will come into effect earlier on December 1, 2023.
Updates to the existing regulation
These amendments include the following:
Vulnerability management - The DFS’ expanded cybersecurity regulation includes additional requirements for vulnerability management practices in covered entities’ cybersecurity policies. Beyond an annual risk assessment requirement, the updates to the rule also indicate that policies and procedures should be designed to ensure that covered entities conduct a penetration test (both internal and external to their systems) at least once a year.
Cybersecurity programs - The amendments set out new requirements for the maintenance of the cybersecurity programs of large companies (companies with at least $20M in gross annual revenue and over 2,000 employees). Cybersecurity programs for these entities will need to be audited annually based on a yearly risk assessment.
Cybersecurity governance - Amendments to the rule now require that covered entities designate a Chief Information Security Officer (CISO), employed by the covered entity, one of its affiliates, or a third-party service provider. CISOs will be required to report to senior governing bodies at least once a year regarding cybersecurity policies, issues, and risks. In addition, this most recent amendment to the regulation will require that the governing bodies or senior officers of each covered entity have “sufficient understanding of cybersecurity-related matters”.
Multi-factor authentication - Newly added to the existing rule are additional requirements for technology safety and access controls. Most notably, the amendments require covered entities to implement multi-factor authentication for any individual accessing any information systems, with some exceptions. Multi-factor authentication will be required for remote access to a covered entity’s information systems, remote access to third-party applications, and to all privileged accounts.
Cybersecurity event notice - The amendment also sets forth a strict reporting requirement that diverges from the recently passed U.S. Securities and Exchange Commission (SEC) standards for publicly traded companies. Rather than requiring companies to only report material incidents within a four-day timeline, the NYDFS now requires that covered entities make a report no less than 72 hours after determining that a cybersecurity event has occurred, regardless of materiality.
Ransom payment notification - In addition to the 72-hour reporting timeline for all cybersecurity events, the amendments set forth new reporting requirements in the event of a ransom payment made in connection with a cybersecurity event. Covered entities are required to provide notice of any such payments within 24 hours and will have 30 days to submit a full written reasoning behind making the payment, including alternatives considered before making the payment.
Exemptions - The amendments expand the number of companies that qualify for small-company exemptions. Entities with fewer than 20 employees, less than $7.5M in gross annual revenue, or less than $15M in year-end total assets would be exempt from some of the cybersecurity requirements.
Firms do not have much time to determine how these amendments affect their cybersecurity programs and comply with the new requirements. We recommend covered entities perform a gap analysis immediately to determine where changes need to be made. Any cybersecurity events that happen in or after December of this year will need to follow the new reporting requirements. All other changes identified by the gap analysis will need to be made in less than six months.
How we help
ACA Aponix® can help you perform a gap analysis of your cybersecurity program vs. the new requirements of these amendments, and develop implement, and maintain the appropriate changes needed to bring your information security program in-line with these new requirements. Learn more about our solutions here.
For questions about these new requirements, or to find out how ACA can help you meet your regulatory cybersecurity obligations, please reach out to your ACA consultant or contact us.