Proposed Amendments to New York’s Cybersecurity Regulations

Evan J. Foster, Amanda Dennis
Published

On November 9, 2022, the New York Department of Financial Services (“NYDFS”) published proposed amendments (the “Proposed Amendments”) to its Cybersecurity Regulations (23 NYCRR 500), commonly referred to as Reg. 500. The comment period for these Proposed Amendments ends on January 9, 2023. Following the end of this 60-day comment period, the NYDFS may make changes to the Proposed Amendments based on the comments received. To comply with the Proposed Amendments (if adopted by the NYDFS), companies subject to Reg. 500, including insurers, title companies, banking and financial services firms, will likely need to modify procedures, processes, and operations. A brief background and key takeaways are presented below.​

What You Need to Know:

  • The Proposed Amendment establishes significant new technical, operational and governance requirements on all entities subject to NYDFS Reg. 500.
  •  It also establishes specific notification requirements for companies affected by ransomware.
  • It creates a new category of “Class A” companies subject to even higher technical, operational and governance requirements standards.

 

Reg. 500 was first adopted in 2017, creating cybersecurity and risk management regulations for Covered Entities. 23 NYCRR 500. With the passage of the then-novel cybersecurity regulations, New York created a regulatory benchmark for establishing and maintaining cybersecurity programs and processes. Several states have since enacted similar regulations across various sectors. Notably, in promulgating the Insurance Data Security Model Law, the National Association of Insurance Commissioners (“NAIC”) indicates in a Drafting Note that licensees in compliance with Reg. 500 are also in compliance with the NAIC Insurance Data Security Law. NAIC Model Law at 1. Following the proposed changes to Reg. 500, many states may adopt similar changes to their own cybersecurity regulations.

The Proposed Amendments, if adopted, could lead to significant changes for companies seeking to maintain compliance with Reg. 500. On July 29, 2022 NYDFS informally proposed amendments (the “Pre-proposed Amendments”) to Reg. 500. Guide NYDFS’s Cybersecurity Reg.; Pre-Proposed Amendments The Pre-proposed Amendments were issued in a draft form for an informal comment period. Id. On October 25, 2022, the official draft amendments to Reg. 500 were filed with the Secretary of State. On November 9, 2022, the Proposed Amendments were published in the State Register. NYDFS Website - Timeline These Proposed Amendments were subject to a 60-day public comment period which ends on January 9, 2023. Id. If adopted, the majority of the amendments will become effective 180 days after final adoption, although some changes do not become effective for 18 months. NYDFS Proposed Changes at 4; Proposed Amendment. The Proposed Amendments pertaining to the expanded notification requirements will take effect 30 days after adoption, and Covered Entities will have two years to reach compliance with asset inventory requirements. Proposed Amendment. As drafted, the Proposed Amendments include several notable changes, which have the potential to significantly impact companies subject to Reg. 500.

Key Takeaways: The Proposed Amendments can be broken up into approximately six main categories of changes. NYDFS Proposed Changes. These include: (1) Changes to Covered Entity Status; (2) Cybersecurity Policy and Management Requirements; (3) Notice Requirements; (4) Operational Requirements; (5) Technical Requirements; and (6) Violations. Id.; Proposed Amendment.

(1) Changes to Covered Entity Status:

The Proposed Amendments establish a new category of Covered Entities called “Class A Companies,” which are subject to unique, heightened requirements. “Class A Companies” are defined as Covered Entities with: (1) over 2,000 employees, including those of both the Covered Entity and all of its affiliates no matter where located; or (2) over $1,000,000,000 in gross annual revenue averaged over the last three fiscal years from all business operations of the Covered Entity and all of its affiliates. These “Class A Companies” will be required to:  

a. Conduct an annual independent audit of cybersecurity programs;

b. Have a monitoring process in place to ensure the Covered Entity is promptly informed of the emergence of new security vulnerabilities;

c. Implement and monitor a privileged account access system, including use of a password vaulting solution and automated blocking of commonly used passwords;

d. Implement an endpoint detection and response solution and a centralized logging and security event alerting solution; and

e. Engage external experts to conduct a risk assessment at least once every three years.

23 NYCRR 500.1, 500.2, 500.5, 500.7, 500.9, 500.14

In addition, the Proposed Amendments establish additional exemptions from complying with sections, or all of, Reg. 500. Exemptions can apply if the Covered Entity has less than 20 employees or independent contractors, makes less than $5,000,000 in gross annual revenue, or has less than $15,000,000 in year-end total assets. 23 NYCRR 500.19(a). Additionally, individual insurance brokers, subject to Insurance Law section 2104, that qualify for the exemption in 23 NYCRR 500.19(c) (for Covered Entities that do not directly or indirectly operate, maintain, utilize or control any Information Systems or generate, receive, or possess Nonpublic Information) are exempt from Amended Reg. 500 if the individual has not been active as an insurance broker for at least one year. 23 NYCRR 500.19(c), (e).

(2) Cybersecurity Policy and Management Requirements:

The Proposed Amendments also include new requirements for all Covered Entities. These changes include:

a.  A Covered Entity’s written cybersecurity policy must be reviewed and approved on an annual basis by a senior officer or senior governing body of the Covered Entity. Under the current Cybersecurity Regulation, only initial approval is required;

b. Retention, end of life management, remote access, monitoring, security awareness and training, notification, and vulnerability management must now be specifically addressed by the cybersecurity policy, or policies and procedures;

c. The Chief Information Security Officer (“CISO”) must have adequate authority to ensure cybersecurity risks are appropriately managed. CISO must report to the senior governing body on the Covered Entity’s cybersecurity program, including plans for remediating material inadequacies; and

d. If the Covered Entity has a board of directors or equivalent, it must (1) exercise oversight of, and provide direction to management on, the Covered Entity’s cybersecurity risk management; (2) require the Covered Entity’s executive management to develop, implement, and maintain the Covered Entity’s cybersecurity program; and (3) have, or be advised by someone with, sufficient expertise and knowledge to exercise effective oversight of cybersecurity risk management. 

23 NYCRR 500.3, 500.4

(3) Notice Requirements:

New notice requirements were also proposed. These changes relate to the requirements for (a) notice of a cybersecurity event; (b) notice of compliance; and (c) notice and explanation of extortion payment. Notification must be made electronically, unless exempt. These modifications included the addition of the following new notification requirements:

a. Notice of a cybersecurity event:

  1. Each Covered Entity must notify NYDFS electronically within 72 hours of cybersecurity event (i) where an unauthorized user has gained access to a privileged account; or (ii) where there has been deployment of ransomware within a material part of the Covered Entity’s information system.
  2. Each Covered Entity must provide NYDFS electronically, within 90 days of the notice of the cybersecurity event, any information requested regarding the investigation of the cybersecurity event. The Covered Entity will have a continuing obligation to update and supplement the information provided.
  3. Each Covered Entity that is affected by a cybersecurity event at a third-party service provider must notify NYDFS electronically within 72 hours from the time the Covered Entity becomes aware of the cybersecurity event.

b. Notice of compliance: Each Covered Entity must electronically submit to NYDFS annually by April 15 either a written certification that provides data and documentation to demonstrate compliance, or a written acknowledgement which acknowledges that the Covered Entity did not fully comply with all the requirements of Reg. 500 and identify areas for improvement, a plan of remediation, and a timeline for such remediation. This acknowledgement must be signed by the Covered Entity’s highest ranking executive and its CISO.

c. Notice of explanation of extortion payment: Each Covered Entity must notify NYDFS electronically within 24 hours of making any extortion payment and each Covered Entity must, within 30 days of making the extortion payment, provide a written description of the reasons payment was necessary, alternatives that were considered, and all diligence performed to find alternatives to payment and ensure compliance with rules and regulation of the Office of Foreign Assets Control.

23 NYCRR 500.17, 500.24

(4) Operational Requirements:  

Covered Entities must establish written plans that have proactive measures to investigate and mitigate disruptive events and ensure operational resilience. These must include at least written plans for incident response, business continuity, and disaster recovery.

a.  Incident response plans: must now also include recovery from backups and must be updated as necessary.

b. Business continuity and disaster recovery plans: must be designed to ensure the availability and functionality of the Covered Entity’s services and to protect its personnel, assets and nonpublic information in the event of an emergency or other disruption to the Covered Entity’s normal business activities. These plans are subject to minimum requirements.

c. Covered Entities must: distribute current copies and provide relevant training on these plans to employees, run annual tests on these plans and maintain backups that adequately protect from unauthorized alterations or destruction.

23 NYCRR 500.16

(5) Technical Requirements:

As part of new technical requirements, changes were made with regard to asset inventory, privileged accounts, and risk assessments.

a. A Covered Entity’s cybersecurity program must implement policies and procedures to ensure complete, accurate, and documented asset inventory that tracks key information for each asset (such as owner, location, classification or sensitivity, support expiration date, and recovery time requirements) and the frequency with which this information must be updated.

b. Requirements relating to privileged accounts will be expanded such that the access to, number of, and use of privileged accounts will be limited. Review of user access privileges must be done annually, all protocols that permit remote control of devices must be disabled or securely configured, and following departures, access must be promptly terminated. Covered Entities using passwords as authentication must use a written password policy that meets industry standards. Class A Companies must, in addition to this, also monitor privileged access activity and implement a privileged access management solution and an automated method of blocking commonly used passwords, when feasible.  

c. Risk assessment must be reviewed and updated annually and whenever a change in the business or technology causes a material change to the Covered Entity’s cyber risk. Class A Companies must use external experts for a risk assessment at least every three years.


23 NYCRR 500.7, 500.9, 500.13

(6) Violations:

a. Commission of a single act prohibited by Reg. 500 or failure to satisfy any of its obligations, including failure to secure or prevent unauthorized access to nonpublic information due to noncompliance or comply with any 24-hour period, constitutes a violation.

b. Several mitigating factors may be considered when assessing a violation.

23 NYCRR 500

Companies should be aware of the Proposed Amendments to Reg. 500. The new requirements may be costly for companies and may require major changes to a company’s technology. NYDFS Proposed Changes. The Proposed Amendments will likely go into effect in 2023 and may require significant increases in a company’s cybersecurity budgets, enhancements to a company’s technology, and new policies to address the new audit and risk assessment requirements. Id. Companies should start planning now on how best to ensure they can reach timely compliance with the Proposed Changes. ​

Authors
Evan Foster Headshot
Amanda Dennis Headshot