Amendments to NYDFS cybersecurity regulations: What you need to know

Amendments to NYDFS cybersecurity regulations: What you need to know

Introduction

The New York State Department of Financial Services (DFS) has proposed an amendment to its 2017 Cybersecurity Regulation (also known as 23 NYCRR Part 500).  The 2017 regulation was one of the first of its kind and served as the model for many other regulations nationally and internationally. The proposed amendment would significantly expand the requirements that covered entities need to follow.

What does the current regulation require?

The current regulation requires covered entities to follow a long list of requirements relating to cybersecurity best practices:

  • Conduct and document an annual risk assessment
  • Establish a written cybersecurity policy based on risk assessment with a list of specific areas to be addressed
    1. information security
    2. data governance and classification
    3. asset inventory and device management
    4. access controls and identity management
    5. business continuity and disaster recovery
    6. systems operations and availability concerns
    7. systems and network security
    8. systems and network monitoring
    9. systems and application development and quality assurance
    10. physical security and environmental controls
    11. customer data privacy
    12. vendor and service provider management
    13. risk assessment
    14. incident response
  • Designate a Chief Information Security Officer (CISO) who is responsible for overseeing, implementing, and enforcing cybersecurity policies. The CISO is required to make an annual report to the entity’s Board of Directors
  • Conduct penetration testing and vulnerability assessments
  • Maintain an audit trail to allow detection and responses to security events
  • Implement multi-factor authentication (MFA) unless the CISO has approved other equivalent methods
  • Conduct monitoring to detect access by unauthorized users and provide regular training to personnel on security risks
  • Encrypt nonpublic information both in transit and at rest unless the CISO has approved alternative controls
  • Develop a written incident response plan
  • Notify the DFS of security events within 72 hours of detection and submit an annual certification of compliance with the requirements of the Cybersecurity Regulation

Who does 23 NYCRR Part 500 apply to?

A “Covered entity” is defined in the regulation as any legal entity regulated under New York’s Banking Law, Insurance Law, or Financial Services Law.  There are exemptions to most of the rules for: companies with fewer than 10 employees, or less than $5 million in revenues, or less than $10 million in assets.

Although this regulation only applies to financial services companies doing business in New York State, it is important to note that when the original rule came into effect in 2017, it became the de-facto standard adopted by other regulators around the world.  The new amendment is likely to see similar acceptance as a national and international set of best practices.

What happens to companies that don't comply with 23 NYCRR Part 500?

In the last few years, the DFS has been quick to hand out steep penalties to companies for failing to comply with the Cybersecurity Regulation, generally after they suffered data breaches. 

  • In March 2021, Residential Mortgage Services received a $1.5 million fine after it suffered a data breach, failed to report it to DFS, and failed to have a risk assessment in place.
  • In April 2021, National Securities received a $3 million fine after suffering a serious data breach and failing to implement MFA despite certifying that it was compliant with the Cybersecurity Regulation.
  • In May 2021, First Unum Life Insurance and Paul Revere Life Insurance received a $1.8 million fine after suffering data breaches caused by successful phishing attacks. The companies had certified compliance with the Cybersecurity Regulation despite not having MFA in place.
  • In June 2022, Carnival Corporation and several of its subsidiaries received a $5 million fine and surrendered their insurance producer licenses. The companies suffered four security events between 2019 and 2021 including two ransomware attacks. DFS found that they had certified compliance with the Cybersecurity Regulation despite not having MFA in place and that they had failed to conduct adequate security training.
  • In August 2022, Robinhood Crypto agreed to pay a $30 million fine for violations of the Cybersecurity Regulation as well as anti-money laundering regulations.

Cybersecurity Regulations: what new requirements have been proposed?

In November 2022, the DFS released a proposed amendment to the Cybersecurity Regulation that, if enacted, would tighten up many areas of the existing regulation to make them less open-ended and more prescriptive.  Rather than simply requiring that a company’s cybersecurity program addresses particular areas, the proposed amendment includes far more specifics around actions that companies need to take.  The proposed amendment also creates additional, more stringent requirements for the largest companies (called “Class A companies” in the regulation). Class A companies are defined as those companies with over 2,000 employees or over $1 billion in revenue averaged over the last three years.

The updates to the requirements fall into five broad categories:

  1. Governance
  2. Notification and reporting
  3. Risk assessments
  4. Specific technical requirements
  5. Penalties

Governance

The proposal strengthens the accountability of the company’s Board of Directors – the Board would need to approve the cybersecurity policy annually, and they would be required to have (among the board members or through advisors) enough expertise to effectively oversee the security program.  The proposal would also strengthen the role of the CISO by seeking to ensure that the CISO can act independently as required to manage cybersecurity risks, and that the CISO reports to the Board annually in writing.

Notification and Reporting

The amendment would extend the existing 72-hour window for notifying DFS of security events to include incidents of unauthorized access to privileged accounts, or ransomware attacks. Under the proposed regulations, companies would need to notify the DFS within 24 hours of making an extortion payment and would need to provide a written description of why the payment was necessary and what diligence was conducted to make sure that it complied with applicable rules and regulations.

Risk Assessments

The existing regulations already have a requirement that companies need to conduct risk assessments to determine the types of security controls required.  The proposal is more specific about what needs to be included in a risk assessment and would require that risk assessments are updated at least annually, and when business changes (say an acquisition) cause a material change to the company’s cybersecurity risk.  It would also require that Class A companies use external experts to conduct the risk assessment at least once every three years.

Technical requirements

A new requirement is that all covered entities would need to develop procedures for ensuring an accurate inventory of all IT assets – which most security experts interpret as including not just hardware and software, but also operating systems, APIs, and cloud services, with requirements for each asset around the information that needs to be collected.

Although the rules previously strongly encouraged MFA, the new proposal would remove the CISOs discretion around requiring it for user accounts.

Most companies probably already have solutions in place to block malicious emails, but now these would be required.  The training that was previously required would now need to specifically cover phishing and include exercises and simulations. Class A companies would need to implement an endpoint detection and response solution (unless the CISO approved an equivalent solution).

There are new requirements that companies ensure that strong, unique passwords are used.  Class A companies also need to monitor access activity by privileged users and implement a password vaulting solution for privileged accounts and a method for automatically blocking commonly used passwords (unless the CISO approves equivalent or more secure controls in writing).

Penalties

The amendment makes clear that each 24-hour period that a company is out of compliance is a new violation.  It also specifies the factors that DFS can consider when assessing a penalty, which includes cooperation, good faith, whether there was reckless or intentional conduct, the history of prior violations, and the seriousness of the violation.

The draft amendment also adjusts the size limits for companies to receive limited exemptions from the regulation.  Companies smaller than 20 employees, or less than $5 million in revenue, or less than $15 million in assets would be exempted from most of the requirements, although they still need to file a Notice of Exemption with the DFS.

When will the amendment to 23 NYCRR Part 500 take effect?

DFS issued the proposed amendment on November 9, 2022. There will be a 60-day comment period after the formal regulation has been released.  Once that period has passed, DFS will incorporate comments and release the final amendment.  It’s likely that this wouldn’t happen until 2023.

These requirements are only a draft -- will the final amendment be very different?

The DFS will evaluate the comments they received while writing the final regulations. They are likely to make adjustments that loosen the rules somewhat, based on comments from businesses and industry groups, provided that the changes still meet their objectives of meaningfully improving cybersecurity.

How long do firms have to get into compliance with the new requirements?

Most requirements would take effect 180 days after adoption. Most of the technology-focused requirements would take effect after 1 year, and the new notification requirements would be effective 30 days after adoption. Notably, the requirements around the asset inventory are on the 180-day timeline.

What should companies do right now to get ready for the new rules?

Even though the amendment probably won’t become final until 2023, and the new requirements wouldn’t kick in until even later, it is a good idea to begin assessing what is required now.  The technical requirements in particular could be very time-consuming and expensive, so it would be wise to start planning to ensure that there will be an adequate budget and resources in place to comply within the required timeline.

How does CodeLogic help?

One area that is likely to have the most concrete impact on covered entities is the new requirement that they implement policies and procedures to ensure a complete asset inventory. This requirement applies to all covered entities, not just Class A companies.  Section 500.13 (a) of the draft amendment reads “As part of its cybersecurity program, each covered entity shall implement written policies and procedures designed to ensure a complete, accurate, and documented asset inventory, including, all information systems and their components such as hardware, operating systems, applications, infrastructure devices, APIs, and cloud services.  The asset inventory shall be maintained in accordance with written policies and procedures.” It then goes on to list the specific information that needs to be captured for each asset.

Most sizeable companies will already have technological solutions in place to inventory hardware and software, but in most cases, companies do not have a corresponding solution in place for APIs. CodeLogic’s customers are using our product to inventory REST API endpoints across portfolios of thousands of applications that no other developer tools can currently detect.

CodeLogic is a complete Continuous Software Intelligence platform that goes far beyond API endpoint detection by using highly sophisticated binary and runtime scanning technology to analyze the as-built architecture of software applications.  What does this mean?  As other vulnerabilities are identified in your applications, CodeLogic can analyze the impacts that these vulnerabilities pose across your application portfolio, and identify which components need to be inspected or remediated so you can safely, and thoroughly, address any issues.

Where can I get more information?

To determine how the proposed amendment would impact your business and how you will need to respond, you should contact an attorney or cybersecurity expert.  Here are some sources of additional information:

Learn more Endpoint Governance
Scroll to Top