United States: NYDFS Releases Amendment To Cybersecurity Regulation

On November 1, 2023, the New York Department of Financial Services (“NYDFS”) finalized the amendment to its cybersecurity regulation (the “Amendment”). The Amendment expands cybersecurity requirements across many areas—from governance to incident response to access controls. 

The Amendment follows the three published drafts: two proposals published for formal notice and comment in November 2022 and June 2023, and a pre-proposal draft published in July 2022. The final version resembles the June 2023 proposal, but includes a handful of key changes and clarifications.

In this Legal Update, we analyze the new requirements introduced in the Amendment. These changes include: (1) new requirements for larger, companies (so-called “Class A Companies”); (2) expanded governance requirements for boards, senior officers, and chief information security officers (as defined below); (3) expanded cyber incident notice and compliance certification requirements; (4) new requirements for incident response and business continuity planning; and (5) an expanded multi-factor authentication requirement for user access to a company's network. We also include a table that tracks the effective dates for when these new requirements go into effect.

Who's Covered by the NYDFS Cybersecurity Regulation?

The scope of “covered entities” remains the same. Covered entities are any person operating under, or required to operate under, a license, registration, charter, certificate, permit, accreditation, or similar authorization under the New York Banking Law, Insurance Law, or Financial Services Law, regardless of whether the covered entity is also regulated by other government agencies. “Person” is broadly defined as “any individual or entity, including but not limited to any partnership, corporation, branch, agency or association.”

New Requirements for Large Companies

The Amendment introduces new requirements for larger, so-called “Class A Companies.” The original regulation did not have separate requirements for large companies. A “Class A Company” is a covered entity with at least $20 million in gross annual revenue from business operations in New York and either (1) more than 2,000 employees in total; or (2) over $1 billion in gross annual revenue from business operations in all states. For purposes of calculating revenue and employee thresholds, covered entities should include all affiliates with which they share information systems, cybersecurity resources, or any part of a cybersecurity program.

Section 500.2 requires Class A Companies to conduct “Independent Audits” of their cybersecurity programs. This provision omits the 2023 proposal's requirement that Class A Companies must conduct these audits at least annually, but includes the requirement that such Independent Audits must be based on the Class A Companies' risk assessments. An Independent Audit is defined as an audit conducted by internal or external auditors, free to make their own decisions, not influenced by the covered entity or its owners, managers, or employees.

The Amendment also imposes two requirements for Class A Companies in Section 500.7. Class A companies must: (1) implement a privileged access management solution; and (2) automatically block common passwords for information system accounts. If the latter requirement is not feasible, then the covered entity's CISO must provide annual written approval for the infeasibility and use of alternative controls.

Section 500.14 requires that Class A Companies implement an endpoint detection and response solution, as well as a solution that centralizes logging and security event alerting. Alternatively, the company's chief information security officer may approve reasonably equivalent or more secure compensating controls.

Section 500.1 – Definitions

The Amendment defines a “Chief Information Security Officer” (“CISO”) as a “qualified individual responsible for overseeing and implementing a covered entity's cybersecurity program and enforcing its cybersecurity policy.” The Amendment also adds a definition of “cybersecurity incident” to align with the term's use in other laws, rules and regulations. Although the definition is new, the text of the definition is not, and the substantive reporting requirements remain the same.

Section 500.2 – Cybersecurity Program

In the existing requirement that a covered entity maintain a cybersecurity program designed to protect its information systems, the Amendment adds language requiring that such program also protect nonpublic information stored on the applicable information systems.

The provision also requires covered entities to make available all documentation and information relevant to their cybersecurity programs, including provisions of a cybersecurity program that are adopted by the covered entity from an affiliate.

Finally, the Amendment requires Class A Companies to design and conduct independent audits of their cybersecurity programs based upon their risk assessment. The proposed version required annual independent audits.

Section 500.3 – Cybersecurity Policy

The Amendment requires that a covered entity's cybersecurity policy be approved by the senior officer or Senior Governing Body at least annually. The Amendment defines a “Senior Governing Body” as a board of directors (or appropriate committee thereof) or equivalent governing body, or, if there is no such body, the senior officer responsible for cybersecurity. Notably, the Amendment does not include a requirement set forth in the proposed version that would have required the Senior Governing Body to approve the cybersecurity policy.

The Amendment also states that a covered entity should develop, document, and implement procedures pursuant to its cybersecurity policy. The list of required policies has been expanded to include data retention, end of life management, remote access controls, systems and network monitoring, security awareness and training, systems and application security, and vulnerability management.

Section 500.4 – Cybersecurity Governance

The Amendment expands governance requirements for covered entities and renames 500.4 from “Chief Information Security Officer” to “Cybersecurity Governance.” The Amendment slightly modifies this provision to clarify that the Senior Governing Body must be allocated sufficient resources to implement and maintain an effective cybersecurity program. The Amendment also expands reporting obligations by requiring the CISO to timely report material cybersecurity issues to the Senior Governing Body or senior officer(s), including significant cybersecurity events and significant changes to the cybersecurity program.

The Amendment adds a requirement that the Senior Governing Body exercise oversight of the entity's cybersecurity risk management, including by: (1) having sufficient understanding of cybersecurity matters; (2) requiring executive management or its designees to develop, implement, and maintain the cybersecurity program; (3) regularly reviewing management reports about cybersecurity; and (4) confirming that management has allocated sufficient resources to maintain an effective cybersecurity program.

Section 500.5 – Vulnerability Management

The Amendment changes the name of this Section from “Penetration Testing and Vulnerability Assessments” to “Vulnerability Management.” The Amendment requires a covered entity to develop and implement written vulnerability management policies and procedures designed to assess and maintain the effectiveness of the cybersecurity program. The Amendment does not include language set forth in the original regulation requiring monitoring and testing to include continuous monitoring or periodic penetration testing and vulnerability assessments.

The Amendment further requires that a covered entity conduct (1) annual penetration testing of information systems from inside and outside the systems' boundaries by a qualified internal or external party; and (2) automated vulnerability scans of information systems and a manual review of other systems at a frequency determined by the risk assessment, as well as after any material system changes. The Amendment removes the requirement from the original resolution focused on bi-annual vulnerability assessments.

The Amendment requires that covered entities have a monitoring process for identifying new security vulnerabilities and their timely remediation.

Section 500.6 – Audit Trail

The Amendment does not make changes to this Section.

Section 500.7 – Access Privileges and Management

The Amendment expands the requirements for access privileges, adding “and Management” to the title of the Section. The Amendment imposes the requirements that a covered entity must (1) limit user access privileges to nonpublic information to only those necessary to perform the user's job; (2) limit the number of privileged accounts and access functions of those accounts to only those necessary to perform the user's job; (3) only permit use of privileged accounts when performing functions requiring that access; (4) annually review all user access privileges and remove or disable unnecessary accounts or access; (5) disable or securely configure all protocols that permit remote device control; and (6) promptly terminate access after departures.
If passwords are used for authentication, the Amendment requires that covered entities implement a written password policy that complies with industry standards.

Section 500.8 – Application Security

The Amendment requires that the CISO must now review application security procedures, guidelines, and standards at least annually.

Section 500.9 – Risk Assessment

The Amendment requires that covered entities review and update their risk assessments at least annually, as well as whenever a change in the business or technology causes a material change to cyber risk. The Amendment also adds an expanded definition for “risk assessment” in the definitions section.

Section 500.10 – Cybersecurity Personnel and Intelligence

The Amendment does not make substantive changes to this Section.

Section 500.11 – Third-Party Service Provider Security Policy

The Amendment did not implement material changes to this Section, except that the “Limited Exception” to the requirements for third-party service provider security policies was removed. However, the same exemption is provided for in 500.19. The Amendment adds language to the definition of a “Third-Party Service Provider” to expressly exclude government entities. In response to the comments received, the NYDFS also indicated that it was considering providing additional guidance on this Section and third-party risks.

Section 500.12 – Multi-Factor Authentication (MFA)

The Amendment requires multi-factor authentication whenever an individual accesses the information systems of a covered entity. The multi-factor authentication requirement in the proposed version was slightly modified in the Amendment to more closely align with the Federal Trade Commission (“FTC”) Safeguards Regulation. There is a limited exemption for certain smaller companies, as referenced in Section 500.19.

As in the original regulation, the CISO may instead approve “reasonably equivalent or more secure compensating controls,” which must be reviewed at least annually.

Section 500.13 – Asset Management and Data Retention Requirements

The Amendment states that covered entities must implement documented policies and procedures, and maintain a complete and accurate inventory of the covered entity's information systems. This must include a method to track key information for each asset and the frequency required to update and validate the asset inventory.

Section 500.14 – Monitoring and Training

The Amendment requires a cybersecurity program to include risk-based controls, including those that monitor and filter web traffic and emails to block malicious content. It further states that the program must include at least annual cybersecurity awareness training, adding the requirement that this training include social engineering.

Section 500.15 – Encryption of Nonpublic Information

The Amendment continues to require that covered entities implement written encryption policies that encrypt nonpublic information at rest and in transit over external networks. The Amendment removes the ability of the CISO to approve compensating controls for encryption in transit over external networks, but continues to allow CISO-approved compensating controls as an alternative to encryption at rest when such encryption is not feasible.

Section 500.16 – Incident Response and Business Continuity Management

The Amendment adds “and Business Continuity Management” to the title of this Section. The Amendment includes a new requirement for business continuity and disaster recovery (“BCDR”) planning. It further states that BCDR plans must focus on protecting against cybersecurity-related disruptions to business operations by imposing specified measures, such as identifying essential documents, data, and personnel, and including plans and procedures for managing a cybersecurity-related disruption.

Incident response plans must now include (1) root cause analysis of the event, any business impact, and prevention measures; and (2) updates to the incident response plans as needed.
The Amendment requires that covered entities ensure that all necessary employees and management have access to the plans, provide relevant training to these employees, provide at least annual testing for the effectiveness of its incident response and BCDR plans, and maintain and protect necessary backups.

Section 500.17(a), (c) – Incident Notification

The Amendment expands the cybersecurity incident notification requirements. A new definition of “Cybersecurity Incident” states that cybersecurity events are reportable whether they occurred at the covered entity, its affiliates, or a third-party service provider if that incident impacts the covered entity. In addition to the notification triggers in the original regulation, the Amendment also requires reporting any incident that results in the deployment of ransomware within a material part of the covered entity's information systems. The Amendment removes a proposed requirement that would have required reporting any incident involving unauthorized access to a privileged account.

The Amendment adds a requirement that covered entities must provide the superintendent with any requested information, and that the entity shall have a continuing obligation to update the superintendent with material changes or new information previously unavailable.

Finally, the Amendment adds requirements for covered entities that make cyber extortion payments, such as a payment after a ransomware attack. Covered entities that make an extortion payment must notify the Department within one day of making that payment, and within 30 days, covered entities must submit a written statement explaining why the payment was necessary, what alternatives were considered, and what due diligence was performed.

Section 500.17(b) – Compliance Certification

There are two significant changes to the annual compliance certification. First, the certification must be signed by the CISO and the covered entity's highest-ranking executive. Second, the Amendment qualifies certification by stating that covered entities must certify “material” compliance during the prior calendar year. This reflects changes made to the annual certification process by the NYDFS, which was changed from requiring full compliance to requiring material compliance.

The Amendment also adds a requirement that covered entities that cannot certify material compliance must instead submit a written acknowledgment of noncompliance that describes the reasons for noncompliance and the timeline for coming into compliance.

Section 500.18 – Confidentiality

The Amendment does not impose changes to this Section.

Section 500.19 – Exemptions

The Amendment expands several exemptions from the regulation's requirements. For instance, the Amendment increases the number of companies that qualify for small-company exemptions, raising the threshold number of employees from 10 to 20 and the total assets from $10 million to $15 million. It adds an additional change, updating the gross annual revenue threshold from $5 million to $7.5 million. To qualify for this limited exemption, an entity must have less than $7.5 million in gross annual revenue in each of the last three fiscal years from the business operations —wherever located—and the New York business operations of its affiliates. The location of the affiliates is not relevant. It also requires that companies that ceased to be eligible for an exemption have 180 days to comply.

Section 500.20 – Enforcement

The Amendment expands the enforcement provision, defining a violation of the cybersecurity regulation as either (1) the failure to secure, or prevent unauthorized access to, an individual's, or an entity's, nonpublic information due to noncompliance with the regulation; or (2) the material failure to comply with any requirement for any 24-hour period.

The Amendment further lists the following factors that the NYDFS will consider when assessing a penalty for violations: (1) cooperation with the investigation; (2) good faith; (3) whether the violations were unintentional, reckless, deliberate, etc.; (4) whether the violation was a result of a failure to remedy past examination matters or failure to adhere to similar instructions; (5) any history of past violations; (6) whether the violation was isolated, repeated, systemic, etc.; (7) whether the covered entity provided false or misleading information; (8) the extent of harm to consumers; (9) whether consumers received required, accurate, and timely disclosures; (10) the gravity of the violations; (11) the number and duration of the violations; (12) the extent of senior governing body participation; (13) any other regulatory penalty or sanction imposed; (14) financial resources, net worth, and annual business volume of the covered entity and its affiliates; (15) the extent to which the company's policies and procedures complied with nationally recognized cybersecurity frameworks, such as that of the National Institute of Standards and Technology; and (16) other matters required by justice and the public interest.

The consequences for failing to comply with the cybersecurity regulations could be significant. In addition to potential injunctive relief, the NYDFS has authority to issue civil monetary penalties. Under New York's Financial Services Law and Insurance Law, covered entities can be fined up to $1,000 per violation. Under NY's Banking Law, penalties can be up to $25,000 per day for intentional violations, $5,000 per day for reckless violations, and $1,000 per day for negligent violations.

Effective Dates of the New Requirements

The new requirements imposed by the Amendment will phase in over the next two years, per the schedule below.

Visit us at mayerbrown.com

Mayer Brown is a global services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown (a Hong Kong partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) and non-legal service providers, which provide consultancy services (collectively, the "Mayer Brown Practices"). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong & Nair LLC ("PKWN") is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong & Nair Pte. Ltd. Details of the individual Mayer Brown Practices and PKWN can be found in the Legal Notices section of our website. "Mayer Brown" and the Mayer Brown logo are the trademarks of Mayer Brown.

© Copyright 2023. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.