On November 9, 2022, the New York Department of Financial Services (NYDFS) released its second proposed amendments to the Part 500 cybersecurity rule. The proposed amendments revise several aspects of the proposed cybersecurity rule amendment released on November 29 July 2022. These changes reflect several comments made in response to the proposed cybersecurity rule to clarify, strengthen, and further clarify various requirements, as noted below.
Here are some of the key changes to the Proposed Amendments:
The Proposed Amendments provide for three new cybersecurity events that Covered Entities must report to NYDFS through the NYDFS Online Cybersecurity Portal within 72 hours:
In addition, Covered Entities must provide NYDFS with any additional information requested by NYDFS regarding the investigation of a cybersecurity event within 90 days of notification. The Covered Entity must also provide ongoing updates and any additional information related to the investigation.
The proposed changes provide a new notification requirement for ransomware payments. If a Covered Entity makes a Ransomware Payment, the Covered Entity is required to notify NYDFS within 24 hours of payment. Upon notification to NYDFS, a Covered Entity making a ransomware payment must also provide a written description of the payment within 30 days, describing why the payment was necessary, what alternatives were available, and any related due diligence performed to ensure compliance. applicable laws and regulations.
Revised Definition of Class A Corporations
The proposed changes now define Class A corporations as covered entities with at least $20 billion in gross annual in-state revenue in each of the last two fiscal years from the business activities of the covered entity and its subsidiaries, and either: (1) have more than 2,000 employees in the past two fiscal years, regardless of location, including those of the Covered Entity and all of its affiliates, or (2) have more than $1 billion in gross annual revenue in each of the last two fiscal years from all business operations of the covered entity and all of its affiliates. A Covered Entity that qualifies as a Class A Company will also be subject to several additional compliance requirements under the Proposed Amendments, including an independent audit at least once a year by an external auditor, the use of external experts to perform risk assessments at least once every three years and the implementation of an endpoint detection and response solution.
Penetration testing, vulnerability assessments and risk assessments
The proposed amendments make significant changes to the technical requirements of the cybersecurity rule. Some of these changes include:
Covered Entities must perform penetration testing of their systems, both internally and externally, by a qualified internal or external independent party at least once a year.
Covered Entities must have a monitoring process that ensures prompt notification of any new security vulnerabilities.
Covered Entities must have written policies and procedures for managing vulnerabilities, mandating automated system scans, and manually reviewing systems not covered by such scans as frequently as determined by the risk assessment or promptly after any major change in the system.
Covered Entities should review and update their risk assessments at least annually, and whenever a material change in business or technology results in a material change in their cyber risk.
The proposed changes now require a covered entity to address new issues in its cybersecurity plans, including data retention, end-of-life management, remote access controls, systems monitoring, awareness and security training, application security, incident notification and vulnerability management.
The proposed changes also require a covered entity to limit the number of accounts, access features, and actual usage to what is necessary for a user to perform their job. This includes the requirement that a Covered Entity periodically, or at least annually, review all user access privileges and remove or disable accounts that are no longer required (i.e., termination rapid access to systems after the departure of an employee).
The proposed changes provide a new certification requirement that requires a Covered Entity to have its senior executive and CISO (or Chief Cyber Security Officer) sign an annual NYDFS Part 500 compliance certification.
Incident response and business continuity and disaster recovery plan
The proposed amendments now require a covered entity to provide relevant training on its incident response plan and business continuity and disaster recovery plan to all employees necessary to implement those plans. These plans must be tested at least once a year, and must be distributed and accessible to the employees concerned.
The Proposed Amendments require a Covered Entity to use Multi-Factor Authentication (MFA) for all remote access to systems, third-party applications, and all privileged accounts. Alternatively, the CISO may approve the use of reasonably equivalent or more secure controls to replace MFA, in writing, which must be reviewed periodically and at least annually by the CISO.
The proposed changes require a higher governing body to approve a Covered Entity’s cybersecurity policies and procedures for protecting its systems and non-public information stored in the systems, at least once a year.
The proposed changes also provide several requirements for CISOs and give them the proper authority to “ensure that cybersecurity risks are appropriately managed.” Some of these requirements include timely notification to the highest governing body of material cybersecurity issues (i.e. major cybersecurity events or updates regarding risk assessments) and notification of plans remedial action to remedy the material shortcomings.
The Proposed Amendments also require a Covered Entity’s board of directors or equivalent (i.e., an appropriate committee of the board) to exercise oversight over cybersecurity risk management, including the development, implementing and maintaining cybersecurity programs. The board of directors or equivalent must have sufficient expertise or knowledge, or be advised by persons with sufficient expertise or knowledge, to exercise oversight of cybersecurity risk management.
The 60-day public comment period on the proposed changes ends on January 9, 2023, and members of the public are invited to submit their comments here.
Copyright © 2022, Hunter Andrews Kurth LLP. All rights reserved.National Law Review, Volume XII, Number 327