On July 29, New York State’s Department of Financial Services (NYDFS) released draft amendments (Draft Amendments) to its Part 500 Cybersecurity Regulation for financial service companies that, among others things: (1) contain significant changes regarding ransomware; (2) propose a new class comprising larger entities, which will be subject to increased obligations for their cybersecurity programs; (3) require enhancements to governance policies and procedures; (4) announce new restrictions on privileged accounts; and (5) clarify its enforcement authority.

Highlights of the Draft Amendments include:

  • Ransomware:
    • Each covered entity would be required to notify the NYDFS superintendent electronically no later than 72 hours after a cybersecurity event that resulted in the deployment of ransomware within a material part of the covered entity’s information system.
      • Currently, the 72-hour notice would only be required if the ransomware required notice to another governmental entity or if there was a reasonable likelihood of it harming a material part of the company’s normal operations.
    • In the event of an extortion payment is made in connection with a cybersecurity event, the covered entity would be required to notify the superintendent electronically within 24 hours of payment and provide a written description of why the payment was necessary, what alternatives were considered, and all compliance due diligence performed within 30 days of payment.
  • Class A Companies:
    • The Draft Amendments create a new category of “Class A” companies, which are covered entities with over 2,000 employees or over $1 billion in gross annual revenue averaged over the past three fiscal years from all business operations of the company and its affiliates.
    • Class A companies would be subject to additional cybersecurity requirements, including:
      • Conducting annual audits of their cybersecurity program;
      • Engaging external experts to conduct a risk assessment at least once every three years;
      • Conducting systematic scans or review of information systems at least weekly, with the requirement that any material gaps found during testing be documented and reported to the board and senior management;
      • Implementing password vaulting solutions for privileged accounts with an automated method of blocking commonly used passwords; and
      • Monitoring anomalous activity with a solution that centralizes logging and security event alerting.
  • Governance Requirements:
    • The chief information security officer (CISO) would be required to have adequate independence and authority to ensure cyber risks are properly managed;
    • The CISO will be required to provide annual reporting to the board on plans for remediating inadequacies, as well as timely reporting on material cybersecurity issues or events;
    • The board will be required to have sufficient expertise and knowledge (or be advised by persons with such expertise) to exercise effective oversight of cyber risk;
    • The board, as opposed to senior management, will be required to approve the company’s cybersecurity policies;
    • Business continuity and disaster recovery plans would be required to include details, such as designating essential data and personnel, communication preparations, back-up facilities, and identifying necessary third parties; and
      • These plans must also be periodically tested with all staff who are critical to the effort, including senior officers.
    • Incident response plans will be required to address ransomware incidents and include recovery from backups;
      • These plans must be periodically tested with all staff who are critical to the response, including senior officers and the CEO.
  • Privileged Accounts:
    • The Draft Amendments define “privileged accounts” as any account that can be used to perform security-relevant functions, which ordinary users are not authorized to perform, or affect a material change to technical or business operations. These accounts would be required to:
      • Have multifactor authentication;
      • Be limited in number and access functions to only those necessary to perform the user’s job;
      • Limit the use of privileged accounts to only when performing functions requiring the use of such access;
      • Have all-user access periodically reviewed and remove all accounts that are no longer necessary; and
      • Disable or securely configure all protocols that permit remote control of devices.
  • Enforcement:
    • The Draft Amendments elucidate that a violation will be found if a covered entity commits any act prohibited by the regulations or fails to satisfy an obligation.
    • NYDFS would be within its purview to consider certain factors when assessing the severity of penalties, including cooperation, good faith, intentionality, prior violations, number or pattern of violations, gravity of the violation, provision of false or misleading information, harm to customers, accuracy and timeliness of customer disclosures, participation of senior management, penalties by other regulators, and business size.

The Draft Amendments are currently in the pre-proposal phase, and there will be a short comments period ending August 8 before the publishing of the official proposed amendments, which will trigger a 60-day comment period. The Draft Amendments will likely take effect in 2023. However, covered entities should review them now to ensure they have enough time to implement any technology upgrades necessary to be in compliance.

Troutman Pepper will continue to report on new developments with the New York Department of Financial Services and other institutions involved with cybersecurity regulation.