QUESTION
Our Cybersecurity Policy is a good one. I know this because we have had an examination, and the regulator approved it.
Although we are a mid-west company, I notice that New York requires an update to its cybersecurity rule. That makes me nervous since New York’s cybersecurity requirements influence many states.
I want to update our Cybersecurity Policy to reflect New York’s requirements. Sooner or later (probably sooner), our state is going to adopt the same requirements.
What are the new Cybersecurity Policy requirements in New York?
ANSWER
New York’s Department of Financial Services (DFS) has been quite active in requiring its licensees to comply with its Cybersecurity Rule (“Rule”). Effective March 1, 2017, the DFS promulgated a regulation[i] implementing the Rule.
I published a White Paper about the Rule in advance of its effective compliance date, entitled
Cybersecurity Guidelines – "First-in-the-Nation" Regulation.
You’re welcome to download it HERE.
From its inception, the DFS requires individuals and entities to comply with the Rule. These are called “Covered Entities.” A Covered Entities include, but are not limited to, partnerships, corporations, branches, agencies, and associations operating under, or required to operate under, a license, registration, charter, certificate, permit, accreditation, or similar authorization under the banking law, the insurance law, or the financial services law.
I agree that the DFS influences other state banking departments vis-à-vis cybersecurity regulations. Now, the DFS is proposing to update the Rule.[ii] So, it’s a good time to anticipate policy and procedure revisions. Even if the proposed Amendments (“Amendments”) are not adopted in full or at all, given the rapidly evolving cyber threat landscape and, in particular, the growing prevalence of ransomware incidents, many aspects of the Amendments reflect Best Practices.
Some of the proposed changes are rather significant. For instance, the updated Rule will have such requirements as a mandatory 24-hour notification for cyber ransom payments, heightened cyber expertise requirements for board members, and new access restrictions to privileged accounts.
I will provide a brief summary of the proposed updates. Covered entities should monitor whether the DFS formally proposes amendments to ensure they are equipped technically, organizationally, and financially to meet the heightened governance, technical, and notification obligations.
Notification Obligations
The Amendments will create new requirements to notify the DFS of certain incidents. Specifically, there will be a requirement to notify the DFS within 72 hours of any unauthorized access to privileged accounts or deployment of ransomware within a material part of the covered entity’s information systems.
Furthermore, covered entities will be required to notify the DFS within 24 hours of a covered financial institution making a ransomware payment connected to a cybersecurity event; additionally, there will be a requirement to provide the DFS within 30 days with an explanation of (a) why the payment was necessary, (b) whether alternatives were considered, and (c) what sanctions diligence was conducted.
Risk Assessments
There are risk assessment requirements under the current Cybersecurity Rule. Under the Rule, a covered entity must conduct a periodic risk assessment of its information systems “sufficient to inform the design of” its cybersecurity program required by the Rule and must update the risk assessment to address various changes, developments, and threats. The Amendments will expand upon the Rule’s definition of a “Risk Assessment” and more clearly articulate that an assessment must “take into account the specific circumstances of the covered entity.” And the Amendments also would clarify that a covered entity’s risk assessment must be updated at least annually or whenever a change in business or technology “causes a material change to the covered entity’s cyber risk.”
Heightened Monitoring
The Amendments will add several new monitoring requirements to the Rule, including:
· Completion of an asset
inventory that tracks
information (e.g., owner, location, classification or sensitivity,
support expiration date, and recovery time requirements) for each technology
asset (e.g., hardware, operating systems, applications,
infrastructure devices, APIs, and cloud services), and requirements for
updating and validating the asset inventory;
· Heightened access controls for privileged accounts, such as limiting access to a need-to-know basis, implementing multifactor authentication, and securely configuring or disabling protocols that permit remote control of devices;
· Regular phishing training and exercises for all personnel; and
· Monitoring and filtering of
emails to
block malicious content.
Governance
Governance will be updated in the Amendments to include new obligations, including:
· CISO independence and authority to ensure that cyber risks are appropriately managed;
· Additional CISO reporting obligations to the board of directors include plans for remediating inadequacies and timely reporting on material cybersecurity issues or major cybersecurity events (which are not defined);
· Expertise and knowledge thresholds for board members (or requirements that persons with such expertise and knowledge advise them) such that they can exercise effective oversight of cyber risk;
· Cybersecurity policy approval by the board (i.e., not senior management);
· Annual certification of compliance with the Cybersecurity Rule by CEO and CISO, as differentiated from a senior officer;
· Required business continuity and disaster recovery (“BCDR”) plans, which would be necessary to include certain prescribed content, such as identification of essential data, personnel, and infrastructure, a communications plan in the event of a disruption, and procedures for the maintenance of backup infrastructure;
· Periodic testing of incident response and BCDR plans, and ability to restore systems from backups, including to address ransomware incidents and the ability to recover from backups; and
· Annual review by CISO of the
feasibility of encryption and
effectiveness of the compensating controls, as well as a requirement to implement
a written policy requiring industry-standard encryption to protect nonpublic
information held at rest or transmitted over external networks by the covered
entity.
Larger (Class A) Companies
The Amendments will impose additional cybersecurity obligations on a new category of covered entities, so-called “Class A Companies.” Under the Amendments, a “Class A Company” would be a covered entity with: (1) over 2,000 employees; or (2) over $1 billion in gross annual revenues averaged over the last three years from all of its business operations and those of its affiliates.
These Class A Companies would be subject to additional cybersecurity obligations, including:
· Annual independent audits of the company’s cybersecurity program;
· Weekly vulnerability assessments will be conducted, including systematic vulnerability scans and reviews of information systems, and documentation and reporting to the board and senior management of material gaps identified by these assessments;
· Password controls, including a “vaulting solution” for privileged accounts and an automated method for blocking commonly used passwords;
· Monitor anomalous activity by way of endpoint detection and response solution, with a centralized solution for logging and security event alerting; and
· Risk assessments by external experts at least once every three years.
Even if a covered entity is not a large company, smaller companies should consider implementing at least some of the Class A obligations.
Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director
[i] 23
NYCRR Part 500
[ii]
Announced by the DFS on July 29, 2022