NYDFS Proposes Modifications to 23NYCRR 500

Applicability of the NYDFS Regulations

The amended NYDFS Cybersecurity Rules would apply to financial entities that are licensed to operate in the State of New York, and contain additional requirements for covered entities with over 2,000 employees or over $1B in gross annual revenues (defined as Class A Companies) and at least $20M in gross annual revenue in each of the last two fiscal years from business operations of the covered entity and its affiliates in New York.

Could the NYDFS Rules Reach A Parent Company?

Based on a review of NYDFS enforcement actions and consent decrees, including a recent consent order related to Robinhood Crypto, LLC (Robinhood), there are two scenarios where NYDFS could potentially reach your company: 1) as a result of examination findings, and 2) as a result of an investigation related to a security event. In the case of Robinhood, NYDFS evaluated the parent’s (Robinhood Markets, Inc. (RMH)) because the Robinhood’s company cybersecurity program almost exclusively relied on RHM's information systems. In particular, Robinhood, had no in-house staff exclusively devoted to its cybersecurity program, and instead adopted and relied on the cybersecurity program of RHM.

1. Examination Findings

If there is a significant cybersecurity event, it is highly probable that NYDFS will initiate a regulatory investigation of the event, including the administrative and technical measures in place. Additionally, if the investigation finds that the event could have been avoided had more robust technical measures been in place, NYDFS will likely scrutinize the decisions regarding those technical controls. To the extent that the technical controls are dependent on the parent company or that the decisions regarding the administrative procedures and technical measures were driven by the parent, NYDFS may reach the parent company as part of its investigation.

To reduce this risk, the subsidiary must have the accountability and independence to establish its own policies, administrative measures, and security controls. Again, the less the subsidiary appears to rely on the parent for its compliance, the fewer opportunities the NYDFS will have to look to at the parent to test that compliance.

2. Security Events

If there is a significant cybersecurity event, it is highly probable that NYDFS will initiate a regulatory investigation of the event, including the administrative and technical measures in place. Additionally, if the investigation finds that the event could have been avoided had more robust technical measures been in place, NYDFS will likely scrutinize the decisions regarding those technical controls. To the extent that the technical controls are dependent on the parent company or that the decisions regarding the administrative procedures and technical measures were driven by the parent company, NYDFS may reach the parent as part of its investigation.

To reduce this risk, the subsidiary must have the accountability and independence to establish its own policies, administrative measures, and security controls. Again, the less the subsidiary appears to rely on the parent for its compliance, the fewer opportunities the NYDFS will have to look to the parent to test that compliance.

Timeline For Implementation

The period for submitting comments to NYDFS regarding the proposal is due on Monday, January 9, 2023. Except where noted on specific requirements below, the relevant proposal requirements would take effect 180 days after the final version is adopted into law, which would be no earlier than July 8, 2023.

New Requirements

• Cybersecurity Obligations.  The current version of the regulation already contains cybersecurity obligations.  The new obligations include:

  1. Annual Audits: An independent audit of the company’s cybersecurity program must be conducted annually.  Additionally, all documentation relevant to the covered entity’s cybersecurity program, including the provisions of a cybersecurity program maintained by an affiliate and adopted by the covered entity must be made available to NYDFS upon request.
  2. Risk Assessments: The risk assessments must be updated annually and an impact assessment must be conducted whenever a change in the business or technology causes a material change to the company’s cyber risk. Risk assessments must be done by external experts at least once every three years.
  3. Vulnerability Assessments and Penetration Testing: The proposal requires automated vulnerability scans, and manual review of systems not covered by those scans at a frequency determined by the risk assessment. The timeline for implementation of this requirement is 18 months after adoption. Penetration testing must be performed at least annually from both the inside and outside boundary.
  4. Asset Management: A complete asset inventory must be maintained. At the minimum, the inventory must track owner, location, classification or sensitivity, support expiration date, recovery time requirements, and the frequency required to update and validate the covered entity’s asset inventory.
  5. Access Privileges and Privileged Accounts: The access of privileged accounts must be limited to only those necessary to perform job functions. Privileged accounts must be configured with multi factor authentication unless reasonably equivalent or more secure compensating controls are implemented and approved by the CISO in writing. And all protocols that permit remote control of devices must be disabled or securely configured. User access privileges must also be reviewed periodically, and access revoked when no longer necessary. The timeline for implementation of this requirement is 18 months after adoption.
  6. Password Controls:  An automated method for blocking commonly used passwords must be implemented or compensating controls implemented when automated methods are infeasible. The compensating controls need to be annually approved by the CISO. The timeline for implementation of this requirement is 18 months after adoption.
  7. Monitoring: An endpoint detection and response solution must be implemented to monitor anomalous activity, including lateral movement, as well as centralized logging and security event alerting.

• Governance Obligations. The Proposed Rules could require the implementation of new, enhanced governance requirements, including:

  1. CISO Authority: The CISO must have adequate authority to ensure that cybersecurity risks are appropriately managed, including the ability to direct sufficient resources to implement and maintain a cybersecurity program.
  2. Additional Board Reporting: The CISO’s annual report to the board must include plans for remediating inadequacies.  The CISO must also timely report to the board on material cybersecurity issues or major cybersecurity events.
  3. Board Expertise: The board of covered entities must have sufficient expertise and knowledge (or be advised by persons with sufficient knowledge and expertise) to exercise effective oversight of cyber risk.
  4. Board Approval of Information Security Policies: The written information security policy/policies must be approved by the board (or appropriate committee of the board) at least annually.
  5. Annual Certification: The annual certification of compliance must be signed by the covered entity’s highest ranking executive and the CISO. The certification requirement allows for an acknowledgement of less-than-full compliance, with an identification of the specific deficiencies and documentation of remedial efforts planned and underway, along with a timeline for implementation of the remedial efforts.
  6. Incident Response and Business Continuity and Disaster Recovery Plans: The Proposed amendments add specific detailed requirements for both incident response plans and business continuity and disaster recovery plans. The incident response plan must also address disruptive events such as ransomware incidents. Current copies of the plans must be distributed or otherwise available to all employees necessary to implement that plan. The plans must be tested, including the ability to restore from backups, at least annually.

• Notifications: Under the existing NYDFS Cyber Rules, a covered entity is required to notify the NYDFS within 72 hours of determining that a cybersecurity event has occurred (1) for which it is required to provide notice to any government body, self-regulatory agency or any other supervisory body; or (2) that has a reasonable likelihood of materially harming, disrupting, or degrading any material part of its normal operations. This includes third party service provider cybersecurity events. The covered entity has 72 hours after becoming aware of the third-party event to provide notice to NYDFS. Additionally, notice to NYDFS must be electronic in the form set forth on NYDFS’ website. There is also an ongoing obligation to update and supplement the NYDFS form.  The proposed rules provide a few additional notification obligations:

1. Privileged Account Access and Ransomware Notifications: Notify NYDFS within 72 hours of any unauthorized access to privileged accounts or deployment of ransomware within a material part of the company’s information systems.
2. Extortion Payments: NYDFS must be notified within 24 hours of any extortion payment made in connection to a cybersecurity event.  Additionally, within 30 days of making an extortion payment, a report must be submitted explaining why payment was necessary, alternatives that were considered, and all diligence performed to ensure compliance with applicable rules and regulations including those of the Office of Foreign Assets Control.

The timeline for implementation of the notice requirements is 30 days after adoption.

Comparison to the July 23NYCRR500 Pre-proposal

These are the relevant material changes between the current proposal and the July 2022 pre-proposal.

1. Definition of “Class A Company”: The new proposal added that the definition of Class A company includes covered entities (financial entities licensed in NY) with at least $20M in gross annual revenue in each of the last two fiscal years from business operations of the covered entity and its affiliates in New York.
2. CEO Involvement: The requirements for the CEO to sign the annual certification of compliance was replaced with a requirement that the report must be signed by the covered entity’s highest ranking executive, in addition to the CISO. The new proposal removes the requirement for the CEO to participate in the testing of incident response plans was removed.
3. Vulnerability Scanning: The pre-proposal requirement for Class A companies to conduct weekly vulnerability scans was removed. The new proposal requires automated vulnerability scans, and manual review of systems not covered by those scans at a frequency determined by the risk assessment.
4. Password Controls: The requirement for password vaulting of privileged access accounts was removed. There is still a requirement to use an automated method for blocking commonly used passwords but the proposal allows for compensating controls to be used when automated methods are infeasible. The compensated controls need to be annually approved by the CISO.
5. Multi-factor Authentication (MFA): The pre-proposal’s requirement regarding the use of MFA was retained but an exception was added where reasonably equivalent or more secure compensating controls have been implemented and approved by the CISO in writing.
6. Penetration Testing: The proposal requires an annual penetration test from both the inside and outside boundary of the covered entity’s information systems.
7. Vulnerability Management: The proposal requires covered entities to develop and implement written policies and procedures for vulnerability management that are designed to assess the effectiveness of the cybersecurity program.
8. CISO Role: The pre-proposal requirement that the CISO have independence has been replaced with a requirement that the CISO have adequate authority to ensure that cybersecurity risks are appropriately managed, including the ability to direct sufficient resources to implement and maintain a cybersecurity program.
9. Annual Certification of Compliance: The annual certification of compliance adds the requirement to include a written acknowledgement providing remediation plans and a timeline for implementation. The requirements for the CEO to sign the annual certification of compliance was replaced with a requirement that the report must be signed by the covered entity’s highest ranking executive in addition to the CISO.
10. Board Oversight: The proposal maintains the requirement for the company’s board to have sufficient expertise and knowledge, or be advised by persons with sufficient expertise and knowledge, to exercise effective oversight of cyber risk and a committee or subcommittee assigned responsibility for cybersecurity. The new proposal adds the requirement for the board to provide oversight and direction to the management of the cyber risk management program.
11. Business Continuity and Disaster Recovery (BCDR): The majority of the pre-proposal’s requirements for BCDR remain. The proposal adds a requirement that the covered entity ensure that current copies of the plans are distributed or otherwise available to all employees necessary to implement that plan. The plans must be tested, including the ability to restore from backups, at least annually.
12. Notice Requirements: The 72-hour notification requirement for cybersecurity events contained in the pre-proposal is retained. The proposal extends the requirement to include third party service provider cybersecurity events. The covered entity has 72 hours after becoming aware of the third-party event to provide notice to NYDFS. Additionally, notice to NYDFS must be electronic in the form set forth on NYDFS’ website. There is also an ongoing obligation to update and supplement the NYDFS form.