Tough New Amendments to New York Cybersecurity Regulation Kick in Soon

This is one in a series of articles by ERMProtect tracking key changes in cyber regulations, standards, and laws that could impact our clients and prospective clients.

Solidifying its status as a leader in safeguarding consumer data, the state of New York will begin enforcing amendments to its Cybersecurity Regulation this month that require financial institutions to comply with more stringent cybersecurity controls to better protect themselves against increasingly prevalent and sophisticated cyberattacks.

The amendments mark the most significant expansion of the New York Cybersecurity Regulation (23 NYCRR Part 500) since its enactment on March 1, 2017. The Regulation was the first in the country to implement minimum cybersecurity standards in the financial industry.

Who Must Comply

A covered entity under the Regulation is defined as a “person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.”

This includes entities such as banks, mortgage brokers, insurance companies, and other financial institutions regulated by the New York Department of Financial Services (NYFDS.)

Compliance is generally required by April 29, however, multiple provisions have later deadlines, as outlined below.

Highlights of New Requirements

Some of the most noteworthy amendments require:

• A “senior governing entity” such as the board of directors, a board committee, or an equivalent governing body, must oversee the cybersecurity program. Among other requirements, they must confirm that management allocated sufficient resources to cyber protection.
• Notification within 24 hours if an extortion payment is made, along with a written explanation of why the extortion payment was made and what alternatives to payment were considered. Also, notification within 72 hours after a cybersecurity incident has occurred.
• Annual penetration testing from both inside and outside of the information systems’ boundaries by a qualified internal or external party. Also, automated scans of information systems to discover vulnerabilities.
• Access restrictions based on the user’s job role and, with limited exceptions, implementation of multi-factor authentication across the enterprise.
• A comprehensive inventory of all information systems and classification of all the data they contain by level of sensitivity, among other requirements.
• Annual Cybersecurity Awareness Training that includes social engineering.
• A Business Continuity and Disaster Recovery (BCDR) plan to protect the entities’ information systems against cybersecurity-related disruptions.
• A written certification of compliance or non-compliance by the entity’s highest-ranking executive and its CISO.

Considering NYDFS’ willingness to bring enforcement actions for violations of the Cybersecurity Regulation, covered entities must act now to evaluate gaps in their existing cybersecurity programs and ensure prompt rectification of missing elements such as annual penetration testing, access restriction procedures, business continuity plans, and risk assessments.

Here’s a more in-depth look at key aspects of amendments and what they require:

Creation of Larger “Class A” Companies

One of the bigger changes is the creation of a new category of covered entity known as a “Class A Company,” which is defined as an entity with at least $20 million in gross annual revenue from all business operations of the covered entity and the New York business operations of its affiliates and (i) over 2,000 employees over the last two fiscal years or (ii) over $1 billion in gross annual revenue from all business operations in each of the last two fiscal years.

In addition to the requirements applicable to all covered entities, a Class A Company will be subject to more stringent requirements, including:

• Designing and conducting independent audits of its cybersecurity program based on its risk assessment. Independent audits may be conducted by internal or external auditors.
• Monitoring privileged access activity and implementing both a privileged access management solution and an automated method of blocking commonly used passwords for all accounts on company systems.
• Implementing additional security controls such as endpoint detection and response solutions to monitor abnormal activity.

Oversight by Senior Governing Body

The amended Regulation requires a “senior governing body” to oversee the covered entity’s cybersecurity risk assessment. A senior governing body consists of the entity’s board of directors, board committee, or equivalent governing body, or if neither body exists, the senior officers of a covered entity responsible for the cybersecurity program.

The amendments specify the senior governing body’s oversight duties, including:

• Having a sufficient understanding of cybersecurity-related matters to exercise oversight.
• Requiring development and implementation of the covered entity’s cybersecurity program.
• Regularly receiving and reviewing management reports about cybersecurity matters.
• Confirming that the covered entity’s management has allocated sufficient resources to implement and maintain an effective cybersecurity program.

The entity’s CISO must timely report to the senior governing body or senior officers on any material cybersecurity issues, including important cybersecurity events and significant changes to the entity’s cybersecurity program.

Reporting Cybersecurity Incidents

Previous specifications required a covered entity to report a cybersecurity event on NYDFS’ website as soon as 72 hours after determining a cybersecurity incident occurred to the covered entity, affiliates, or third-party service provider.

However, the amendments specify that notification to NYDFS is only required when a covered entity has determined a cybersecurity incident has occurred. A cybersecurity incident is an event that:

• Impacts the covered entity and requires the covered entity to notify any government body, self-regulatory agency, or any other supervisory body.
• Has a reasonable likelihood of materially harming any material part of the normal operation(s) of the covered entity; or
• Results in the deployment of ransomware within a material part of the covered entity’s information systems.

Another important addition to the Regulation is the requirement to notify NYDFS within 24 hours if an extortion payment is made. Also, the covered entity must provide a written description of why the extortion payment was made, alternatives to payment considered, and diligence to comply with applicable rules within 30 days of the payment.

Heightened Technical Requirements for Cyber Defense

The Cybersecurity Regulation now requires annual penetration testing from both inside and outside of the information systems’ boundaries by a qualified internal or external party. Furthermore, there is a new requirement to conduct automated scans of information systems and a manual review of systems not covered by the automated scans to discover vulnerabilities.

Additionally, there are many limitations on access privileges. Entities must limit the number of privileged accounts only to those necessary to perform the user’s job, annually review all access privileges and remove accounts that are no longer necessary, disable all protocols that permit remote control of devices, and promptly terminate access following departures.

A new condition is in place to implement a written password policy that meets industry standards if passwords are employed as a method of authentication.

Lastly, subject to limited exceptions, all entities must use multi-factor authentication for any individual accessing the entity’s information systems.

Asset Management and Data Retention

The amended Regulations now require entities to implement written policies and procedures to maintain a complete asset inventory of the entities’ information systems. The policies and procedures must include a (i) method to track key information for each asset (including owner, location, classification or sensitivity, support expiration date, and recovery time objectives) and (ii) the frequency required to update and validate the entity’s asset inventory.

Monitoring and Training

The Cybersecurity Regulation now calls for increased risk-based controls to protect against malicious code, including those that monitor and filter web traffic and e-mail to block malicious content. Additionally, at least annually, all covered entities must provide Cybersecurity Awareness Training that includes social engineering for all personnel.

Written Plans and Policies

Along with the existing requirement for an Incident Response Plan, entities must now establish a Business Continuity and Disaster Recovery (BCDR) plan to protect the entities’ information systems against cybersecurity-related disruptions to their normal business activities. The updated criteria specify the elements that need to be included in the BCDR plan, including:

• Identifying documents, data, and personnel essential to the continued operations of the entity’s business.
• Identifying the supervisory personnel responsible for implementing the BCDR plan.
• Establishing a plan to communicate with essential personnel in the event of a cybersecurity disruption.
• Creating procedures for timely recovery of critical data.
• Setting out procedures for backing up or copying information essential to the operations of the entity.
• Identifying third parties that are necessary to the continued operations of the information systems.

Additionally, all covered entities are required to train all relevant employees and annually test the incident response and BCDR plans.

Notice of Compliance

Covered entities can now choose between two options to certify annual compliance with NYFDS:

• A written certification that certifies the entity materially complied with the requirements; or
• A written acknowledgment that the entity did not materially comply with the requirements of the Regulation, along with a description of the nature of non-compliance and a remediation timeline.

The certification or acknowledgment must be signed by the entity’s highest-ranking executive and its CISO.

Compliance Deadlines

In general, most entities have until April 29, 2024, to comply with the amendments of the Cybersecurity Regulation. However, the following provisions have different transitional periods:

• Incident reporting requirements take effect on December 1, 2023.
• Senior governing body, encryption, business continuity plan, and limited exceptions take effect on November 1, 2024.
• Automated scans, access privileges and management, and monitoring and training provisions take effect on May 1, 2025; and
• Multi-factor authentication and asset management requirements take effect on November 1, 2025.

Key Takeaway

Entities must take proactive steps to assess their compliance with the amended Cybersecurity Regulation and rapidly work to address any gaps. Entities should first assess whether they fall under the definition of a Class A company, and thus have more stringent requirements to meet. Entities should also identify key compliance dates and work to ensure adherence to the new requirements.

ERMProtect Can Help

For 26 years, ERMProtect has been helping financial service organizations comply with the measures specified in the New York Cybersecurity Regulation. Our full suite of services includes penetration testing and social engineering, risk assessments, regulatory compliance assessments, policy and procedure development (including Incident Response and Business Continuity Plans), Security Awareness Training, and remediation services. For a free consultation or quote, email Judy Miller at jmiller@ermprotect.com or call 305-447-6750.