On November 1, New York Governor Kathy Hochul announced that the state’s Department of Financial Services (NY DFS) has amended its Cybersecurity Regulations to “enhance cyber governance, mitigate risks, and protect New York businesses and consumers from cyber threats.” According to the NY DFS, key changes in the regulations include: enhanced governance requirements; additional controls to prevent unauthorized access to information systems and mitigate the spread of an attack; requirements for more regular risk assessments, as well as a more robust incident response plans; updated notification requirements; and updated direction for companies to invest in at least annual training and cybersecurity awareness programs that are relevant to their business model. The newly amended compliance requirements will take effect in phases.
The amended Cybersecurity Regulations continue to apply to “covered entities” including, but not limited to, those operating under, or required to operate under, a license, registration, or similar authorization under the Banking Law, the Insurance Law, or the Financial Services Law. The amended regulations differentiate among businesses by creating “class A companies,” which are covered entities with at least $20 million in gross annual revenue from operations in the state, including New York revenue of affiliates, that also have more than 2,000 employees, including employees of affiliates, or more than $1 billion in average gross annual revenue over the last two years, including revenue of affiliates, no matter where located. Highlights of the amendments are summarized below.
Enhanced Governance Requirements
- The amendments clarify that to the extent a covered entity utilizes an employee of an affiliate or third-party service provider to serve as its chief information security office (CISO), the covered entity retains full responsibility for compliance with the Cybersecurity Regulations.
- The CISO shall timely report to the senior governing body or senior officers on material cybersecurity issues, such as significant cybersecurity events and significant changes to the cybersecurity program.
- The senior governing body shall exercise oversight of the cybersecurity risk management, including by:
- having sufficient understanding of cybersecurity-related matters to exercise such oversight, which may include the use of advisors;
- requiring the covered entity’s executive management or its designees to develop, implement and maintain the covered entity’s cybersecurity program;
- receiving and reviewing management reports about cybersecurity matters; and
- confirming that the covered entity’s management has allocated sufficient resources to implement and maintain an effective cybersecurity program.
Controls to Prevent Unauthorized Access and Mitigate the Spread of an Attack
- Each covered entity shall:
- limit the number of privileged accounts and limit the access functions of privileged accounts to only those necessary to perform the user’s job;
- limit the use of privileged accounts to only when performing functions requiring the use of such access;
- periodically, but at a minimum annually, review all user access privileges and remove or disable accounts and access that are no longer necessary;
- disable or securely configure all protocols that permit remote control of devices; and
- promptly terminate access following departures.
- To the extent passwords are employed as a method of authentication, the covered entity shall implement a written password policy that meets industry standards.
- Each class A company shall monitor privileged access activity and shall implement a privileged access management solution, and an automated method of blocking commonly used passwords.
Requirements for More Regular Risk Assessments and More Robust Incident Response Plans
- The amendments added an annual requirement for covered entities to conduct automated scans of information systems, and a manual review of systems not covered by such scans, for the purpose of discovering, analyzing, and reporting vulnerabilities at a frequency determined by the risk assessment, and promptly after any material system changes.
- As part of its cybersecurity program, each covered entity must have a written plan that contains proactive measures to investigate and mitigate cybersecurity events and to ensure operational resilience, including but not limited to incident response, business continuity and disaster recovery plans.
- Business continuity and disaster recovery (BCDR) plans shall be reasonably designed to ensure the availability and functionality of the covered entity’s information systems and material services and protect the covered entity’s personnel, assets, and nonpublic information in the event of a cybersecurity-related event.
- A covered entity must ensure that current copies of the plans or relevant portions are distributed or are otherwise accessible to all employees necessary to implement such plans.
- A covered entity must periodically, but at a minimum annually, test its:
- incident response and BCDR plans with all staff and management critical to the response, and revise the plan as necessary; and
- ability to restore its critical data and information systems from backups.
- A covered entity is required to maintain backups necessary to restore material operations.
Updated Notification Requirements
- In the event of a cybersecurity event, a covered entity is required to promptly provide to the superintendent of the NY DFS any information requested regarding such incident. Covered entities have a continuing obligation to update the superintendent with material changes or new information previously unavailable.
- All covered entities must also annually submit to the superintendent certification that it materially complied with the regulations during the prior calendar year.
Compliance
- The amended regulation’s new compliance requirements will take effect in phases.
- Requirements for cybersecurity event notification and annual compliance certification will take effect 30 days after adoption.
- Requirements for incident response planning, governance, encryption will take effect one year after adoption.
- Requirements for vulnerability management, access controls, and enhanced monitoring controls for class A companies will take effect 18 months after adoption.
- Requirements for an asset inventory and multi-factor authentication will take effect two years after adoption.
- For all other provisions, covered entities have 180 days from date of adoption to come into compliance, or until April 29, 2024.
Please subscribe to The Consumer Finance Podcast for an upcoming episode dedicated to providing an in-depth assessment of these amendments.