Amendments to NYDFS cybersecurity regulations: What you need to know
Amendments to NYDFS cybersecurity regulations: What you need to know
Introduction
What does the current regulation require?
The current regulation requires covered entities to follow a long list of requirements relating to cybersecurity best practices:
- Conduct and document an annual risk assessment
- Establish a written cybersecurity policy based on risk assessment with a list of specific areas to be addressed
- information security
- data governance and classification
- asset inventory and device management
- access controls and identity management
- business continuity and disaster recovery
- systems operations and availability concerns
- systems and network security
- systems and network monitoring
- systems and application development and quality assurance
- physical security and environmental controls
- customer data privacy
- vendor and service provider management
- risk assessment
- incident response
- Designate a Chief Information Security Officer (CISO) who is responsible for overseeing, implementing, and enforcing cybersecurity policies. The CISO is required to make an annual report to the entity’s Board of Directors
- Conduct penetration testing and vulnerability assessments
- Maintain an audit trail to allow detection and responses to security events
- Implement multi-factor authentication (MFA) unless the CISO has approved other equivalent methods
- Conduct monitoring to detect access by unauthorized users and provide regular training to personnel on security risks
- Encrypt nonpublic information both in transit and at rest unless the CISO has approved alternative controls
- Develop a written incident response plan
- Notify the DFS of security events within 72 hours of detection and submit an annual certification of compliance with the requirements of the Cybersecurity Regulation
Who does 23 NYCRR Part 500 apply to?
A “Covered entity” is defined in the regulation as any legal entity regulated under New York’s Banking Law, Insurance Law, or Financial Services Law. There are exemptions to most of the rules for: companies with fewer than 10 employees, or less than $5 million in revenues, or less than $10 million in assets.
Although this regulation only applies to financial services companies doing business in New York State, it is important to note that when the original rule came into effect in 2017, it became the de-facto standard adopted by other regulators around the world. The new amendment is likely to see similar acceptance as a national and international set of best practices.
What happens to companies that don't comply with 23 NYCRR Part 500?
In the last few years, the DFS has been quick to hand out steep penalties to companies for failing to comply with the Cybersecurity Regulation, generally after they suffered data breaches.
- In March 2021, Residential Mortgage Services received a $1.5 million fine after it suffered a data breach, failed to report it to DFS, and failed to have a risk assessment in place.
- In April 2021, National Securities received a $3 million fine after suffering a serious data breach and failing to implement MFA despite certifying that it was compliant with the Cybersecurity Regulation.
- In May 2021, First Unum Life Insurance and Paul Revere Life Insurance received a $1.8 million fine after suffering data breaches caused by successful phishing attacks. The companies had certified compliance with the Cybersecurity Regulation despite not having MFA in place.
- In June 2022, Carnival Corporation and several of its subsidiaries received a $5 million fine and surrendered their insurance producer licenses. The companies suffered four security events between 2019 and 2021 including two ransomware attacks. DFS found that they had certified compliance with the Cybersecurity Regulation despite not having MFA in place and that they had failed to conduct adequate security training.
- In August 2022, Robinhood Crypto agreed to pay a $30 million fine for violations of the Cybersecurity Regulation as well as anti-money laundering regulations.
Cybersecurity Regulations: what new requirements have been proposed?
In November 2022, the DFS released a proposed amendment to the Cybersecurity Regulation that, if enacted, would tighten up many areas of the existing regulation to make them less open-ended and more prescriptive. Rather than simply requiring that a company’s cybersecurity program addresses particular areas, the proposed amendment includes far more specifics around actions that companies need to take. The proposed amendment also creates additional, more stringent requirements for the largest companies (called “Class A companies” in the regulation). Class A companies are defined as those companies with over 2,000 employees or over $1 billion in revenue averaged over the last three years.
The updates to the requirements fall into five broad categories:
- Governance
- Notification and reporting
- Risk assessments
- Specific technical requirements
- Penalties
Governance
Notification and Reporting
Risk Assessments
Technical requirements
A new requirement is that all covered entities would need to develop procedures for ensuring an accurate inventory of all IT assets – which most security experts interpret as including not just hardware and software, but also operating systems, APIs, and cloud services, with requirements for each asset around the information that needs to be collected.
Although the rules previously strongly encouraged MFA, the new proposal would remove the CISOs discretion around requiring it for user accounts.
Most companies probably already have solutions in place to block malicious emails, but now these would be required. The training that was previously required would now need to specifically cover phishing and include exercises and simulations. Class A companies would need to implement an endpoint detection and response solution (unless the CISO approved an equivalent solution).
There are new requirements that companies ensure that strong, unique passwords are used. Class A companies also need to monitor access activity by privileged users and implement a password vaulting solution for privileged accounts and a method for automatically blocking commonly used passwords (unless the CISO approves equivalent or more secure controls in writing).
Penalties
The amendment makes clear that each 24-hour period that a company is out of compliance is a new violation. It also specifies the factors that DFS can consider when assessing a penalty, which includes cooperation, good faith, whether there was reckless or intentional conduct, the history of prior violations, and the seriousness of the violation.
The draft amendment also adjusts the size limits for companies to receive limited exemptions from the regulation. Companies smaller than 20 employees, or less than $5 million in revenue, or less than $15 million in assets would be exempted from most of the requirements, although they still need to file a Notice of Exemption with the DFS.
When will the amendment to 23 NYCRR Part 500 take effect?
These requirements are only a draft -- will the final amendment be very different?
The DFS will evaluate the comments they received while writing the final regulations. They are likely to make adjustments that loosen the rules somewhat, based on comments from businesses and industry groups, provided that the changes still meet their objectives of meaningfully improving cybersecurity.
How long do firms have to get into compliance with the new requirements?
What should companies do right now to get ready for the new rules?
How does CodeLogic help?
One area that is likely to have the most concrete impact on covered entities is the new requirement that they implement policies and procedures to ensure a complete asset inventory. This requirement applies to all covered entities, not just Class A companies. Section 500.13 (a) of the draft amendment reads “As part of its cybersecurity program, each covered entity shall implement written policies and procedures designed to ensure a complete, accurate, and documented asset inventory, including, all information systems and their components such as hardware, operating systems, applications, infrastructure devices, APIs, and cloud services. The asset inventory shall be maintained in accordance with written policies and procedures.” It then goes on to list the specific information that needs to be captured for each asset.
Most sizeable companies will already have technological solutions in place to inventory hardware and software, but in most cases, companies do not have a corresponding solution in place for APIs. CodeLogic’s customers are using our product to inventory REST API endpoints across portfolios of thousands of applications that no other developer tools can currently detect.
CodeLogic is a complete Continuous Software Intelligence platform that goes far beyond API endpoint detection by using highly sophisticated binary and runtime scanning technology to analyze the as-built architecture of software applications. What does this mean? As other vulnerabilities are identified in your applications, CodeLogic can analyze the impacts that these vulnerabilities pose across your application portfolio, and identify which components need to be inspected or remediated so you can safely, and thoroughly, address any issues.
Where can I get more information?
To determine how the proposed amendment would impact your business and how you will need to respond, you should contact an attorney or cybersecurity expert. Here are some sources of additional information:
- Existing NYDFS Cybersecurity Regulation text
- NYDFS Cybersecurity Resource Center
- Several law firms have written very good summaries of the proposed amendment