New York Department of Financial Services Finalizes Amended Cybersecurity Regulations

On November 1, the New York Department of Financial Services (NYDFS) amended its cybersecurity regulations to set additional notification, administrative, training and technical requirements.

The Amended Cybersecurity Regulations make clear that the “commission of a single act prohibited by,” or the failure to act to satisfy, a required obligation in the Amended Regulations constitutes a violation. Although most of the Amended Regulations set new technical, training and administrative standards (as well as new notification obligations), some aspects will codify existing regulatory expectations and streamline current practices.

NYDFS said the Amended Regulations are intended to “build on our risk-based approach to integrate cybersecurity with enhanced governance, more robust access controls and assessments, updated reporting rules including for ransomware, and requirements for personnel training, these regulations raise the bar for cyber resilience.”

Here’s a look at significant additions to the Amended Regulations, including:

• Revisions to reportable incidents and associated events.
• Heightened governance requirements.
• Administrative requirements to strengthen identity and access management.
• Technical multifactor authentication requirements.
• The timeline for compliance.

Who Is Covered

The scope of covered entities remains unchanged and covers any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, Insurance Law or Financial Services Law. This would include money transmitters, BitLicensees, mortgage companies and insurance companies.

Notification Obligations

NYDFS has expanded reportable cybersecurity events to cover all ransomware events in addition to previously reportable events. The changes also codify the current practice of requiring entities to report incidents at affiliate and/or third-party locations.

In addition to the 72-hour reporting requirement, NYDFS will now require all covered entities to report within 24 hours any ransomware or extortion payment made in connection with a cybersecurity event. And within 30 days, entities must provide “a written description of the reason payment was necessary, a description of alternatives to payment considered, all diligence performed to find alternatives to payment and all diligence performed to ensure compliance with applicable rules and regulations including those of the Office of Foreign Assets Control.”

Heightened Governance Requirements

Consistent with recent multistate regulatory enforcement actions, the Amended Regulations seek to expand the duties and obligations of the board or other senior governing body to exercise proper oversight and control over the entity’s cybersecurity program. The Amended Regulations:

• Require a CISO to “timely report” to the board or senior governing body significant cybersecurity issues or material changes to the entity’s cybersecurity program.
• Instruct the board or senior governing body to retain sufficient understanding of cybersecurity to enable effective oversight, provide proper direction of executive management and allocate sufficient resources to cybersecurity.
• Require the board or senior governing body to regularly receive and review management reports and review written cybersecurity policies and procedures once a year.
• Specify that annual compliance certifications will require co-certification by the highest-ranking executive officer and by the CISO or senior cybersecurity officer.

Additional Administrative Requirements

The Amended Regulations spell out additional requirements for entities to maintain robust vulnerability management procedures, privilege management, asset management, training and business continuity and disaster recovery. The regulations:

• Require robust vulnerability management policies and procedures.
  • All entities must now conduct annual penetration tests covering internal and external networks, conduct automated vulnerability scanning and address remediated vulnerabilities in a systematic and prioritized manner.
  • The regulations delete the vague concept of “continuous monitoring” as an exception to the penetration testing and vulnerability assessment requirements.
• Continue to strengthen identity access management, emphasizing policy of least privilege principles, codifying requirements to conduct privilege reviews, limiting and segregating the number of privileged accounts and disabling by default protocols and services not in use.
• Obligate entities to implement robust asset management practices, which now explicitly require certain asset management information to be collected and routinely updated, such as owner, location, classification or sensitivity, support expiration date and recovery time objectives.
• Direct covered entities to develop, implement and test a robust Business Continuity and Disaster Recovery Plan.
  • The BCDR should include test scenarios covering the restoration of critical data and systems from backups.
  • The Amended Regulations also require covered entities to maintain backups that are isolated from network connections. These requirements are consistent with the CSBS Nonbank Cybersecurity Exam Program, initially adopted in 2022.
• Update incident response plans to cover ransomware events and threat hunting. Additionally, incident response procedures must cover root cause analysis, a summary of business impacts and remedial steps. This change is consistent with the previously issued NYDFS’ industry letter covering ransomware.
• Require personnel training to cover social engineering.

Additional Technical Requirements

Alongside administrative requirements, the Amended Regulations expand the scope of technical controls that covered entities must implement as part of a cybersecurity program.

• Unless a covered entity qualifies for an exemption, it must use multifactor authentication (MFA) for all access to its systems and third-party applications (i.e., cloud-based resources). Previously, MFA was only required for remote access situations.
• Covered entities must also implement risk-based controls to protect against malware, including controls for monitoring and filtering web traffic and emails to block malicious content.

Class A Companies

The Amended Regulations also introduce a new category of companies that will be subject to heightened requirements: Class A Companies are NYDFS-regulated businesses that:

• Grossed $20 million or more in annual revenue from operations in New York in each of the last two years—and either:
  • Have over 2,000 employees (between the covered entity and affiliates) averaged over the last two years; or
  • Have $1 billion in gross revenue (on a consolidated basis) in each of the last two fiscal years for all business operations, regardless of state or jurisdiction.

The regulations subject Class A Companies to additional requirements, including:

• Conducting annual independent audits of its cybersecurity program, which can be performed by external or internal auditors.
• Implementing privileged access management systems and automated methods to block commonly used passwords.
• Implementing Endpoint Detection and Response solutions, such as SentinelOne, CrowdStrike or Cortex XDR, and a Security Information and Event Management system.

Timeline for Compliance

Covered entities will need to demonstrate compliance within 180 days of the Amended Regulations being published in the State Register, with the exception of the requirements listed below:

Other Considerations

The Amended Regulations increase the dollar and size thresholds for covered entities seeking partial exemption from the Amended Regulations. The changes also streamline rules that allow entities to provide annual certifications that include explanations of areas where the entity is not yet compliant, why compliance has not been achieved, and a plan and timeline to become compliant.

Consistent with recent enforcement actions, NYDFS considers whether a covered entity’s cybersecurity program aligns with the NIST Cybersecurity Framework, among other factors, in determining penalties for noncompliance.

Steps Covered Entities Should Consider Taking

Given extensive updates to cybersecurity requirements, including the FTC amendments on the Safeguards Rule, covered entities are encouraged to conduct a robust annual assessment of their information security programs. They also should determine how the Amended Regulations could impact existing licenses or license applications that are under review.

Covered entities should begin to:

• Determine whether they fall under the definition of a “Class A Company” or under an exception.
• Review incident response plans and procedures to align with expanded notification requirements.
• Develop a ransomware playbook that includes policies governing extortion payments and the due diligence measures required under applicable OFAC sanctions rules and NYDFS notification obligations.
• Examine their cybersecurity governance structure to make sure their CISO and senior governing bodies have the necessary capabilities and resources to develop and maintain the required cybersecurity program.

Over the next six months, we recommend institutions review policies, procedures and technical controls in order to ensure compliance within the prescribed timelines. Many of the standards now required by the Amended Safeguards Rule may require time to research, develop, test and implement automated solutions, including developing:

• Automated asset and data discovery solutions.
• Automated vulnerability scanning and patch management systems.
• More robust governance, risk and compliance management solutions.
• MFA solutions to cover all access.
• Immutable backup solutions.