The New York Department of Financial Services celebrated the five-year anniversary of 23 NYCRR 500—commonly referred to as the DFS Cyber Security Regulation—with amendments to that regulation. The DFS has released a pre-proposal for comment. Here is what is in this early draft of the regulation:
What is the 23 NYCRR 500?
Originally published in 2017, 23 NYCRR 500 was a first-in-the-nation attempt at creating standards for the financial services industry in protecting nonpublic information. Many of the elements of 23 NYCRR 500 found their way in the National Association of Insurance Commissioner’s model date security law, which in turn has been adopted by at least 13 states, including Connecticut and New Hampshire.
What applies to everyone?
Under the 23 NYCRR 500, covered entities that fall under certain employee or revenue thresholds, only must comply with a limited number of provisions of the regulation. While the proposed amendments do add some new responsibilities into the existing requirements, the list of requirements that a limited exempt covered entity must follow is unchanged. Below is a list of the requirements that these covered entities and all others must follow and what is new for each:
500.02—Cyber security program. Covered entities are required to maintain a cyber security program designed to protect the confidentiality, integrity, and availability of their information systems. Minimal changes were made to this section. Under the proposal, a covered entity’s cyber security program must be designed to protect not only the entity’s information system, but also the nonpublic information stored on the information system. Presumably many of the steps that a covered entity would take to protect its information system also would protect the nonpublic information stored on it, so this change could have minimal impact.
500.03—Cyber security policy. Covered entities must implement and maintain a written policy or policies for the protection of their information systems and nonpublic information stored on those information systems. This section has been amended in several small, but substantial ways. A covered entity must now approve a written security policy on an annual basis. The current regulation is silent as to how often a security policy must be approved. A covered entity’s cyber security policy must now address access controls related to remote access as well as end-of-life management for devices.
500.07—Access privileges. Covered entities must limit user-access privileges to their information systems that provide access to nonpublic information and need to periodically review such access privileges. The proposed amendments require a covered entity to limit user access privilege to only those necessary to perform the user’s job. The number of privileged accounts (defined as accounts that can perform certain high-level security-relevant functions) should be limited as well and only be used when performing actives that required privileged access. Covered entities would be required to review all user access privileges and remove those that are no longer necessary. Importantly, covered entities also must disable or securely configure all protocols that permit remote control of devices.
500.09—Risk assessment. Covered entities must conduct a risk assessment of their information systems and use this information to design a cyber security program and policy. Under the proposal, a risk assessment would be required to be completed at least annually. Currently, the regulation only requires a risk assessment to be performed periodically.
500.11—Third-party service provider security policy. Covered entities need to implement written policies and procedures designed to ensure the security of their information systems and nonpublic information that are accessible to, or held by, third-party service providers. Minimal changes were made to this section. However, a limited exception was removed for employees of a covered entity. Under the current regulation employees of covered entities are not required to develop their own third-party information security policy, that exception was removed in the proposal. It is not clear if employees now will be required to develop a third-party information security policy or whether the DFS considers a later exemption in the regulation to already exclude employees from this requirement. PIA Northeast will seek clarification on this issue.
500.13—Limitations on data retention. Covered entities must develop and implement policies and procedures for the secure disposal on a periodic basis of any nonpublic information that is no longer necessary for their business operations. There are significant changes in this section, where the current regulation only requires a policy for the disposal of nonpublic information. The proposed amendments require covered entities to have a policy for the management of asset inventory which includes all information systems and their components such as hardware, operating system, applications, infrastructure devices, and cloud services. A covered entity’s policy must include records that indicate the owner, location, classification or sensitivity, support expiration date, and recovery time requirements of assets. In addition, the frequency required to update and validate the covered entity’s asset inventory must be included.
500.17—Notice to superintendent. This section received a few updates, including several new notices that covered entities may be required to file. As in the current regulation, covered entities are required to notify the superintendent of a cyber security event as promptly as possible—but in no event later than 72 hours from a determination that a cyber security event has occurred. Under the proposed amendments, the notification must be submitted electronically in the form set forth on the DFS’s website. Formerly notification was required if a cyber security event occurred that either triggered a notification requirement for a different law or regulation, like HIPAA, or a cyber security event occurred that had a reasonable likelihood of materially harming any material part of a covered entity’s business. Under the amendments, notification would be required in those instances as well as if an unauthorized user gained access to a privileged account, or ransomware was deployed within a material party of a covered entity’s information system.
Section 500.17 also addresses the notice of compliance that all covered entities are required to file with the DFS on an annual basis. These notices must be submitted electronically to the DFS by April 15 of each calendar year. The notice is a written certification that the covered entity was in compliance with 23 NYCRR 500 during the prior calendar year. Covered entities would be required to base that certification upon data and documentation that demonstrates compliance with the regulation. While covered entities would not be required to file this documentation, they would be required to maintain the documentation for a period of five years for DFS examination. Those that cannot demonstrate compliance will would be required to file a written acknowledgment of noncompliance which identifies the provisions of the regulation the entity is not fully in compliance with and identifies all the areas, systems and processes that require updating.
A third required notice would be added to the regulation. The proposed amendments would require covered entities to notify the DFS of any extortion payment made in connection with a cyber security event. Notice of the payment must be made within 24 hours of the payment. The covered entity would then be required to follow up within 30 days of the payment with details as to why the payment was necessary and what alternative solutions were considered, among other information.
Let’s talk about exemptions
Section 500.19 deals with exemptions to the regulation. The exemptions have been updated in several significant ways. The limited exemption received an update that will likely mean more covered entities qualify for the limited exemption than in years past.
Under the current regulation the limited exemption applies to covered entities with:
- fewer than 10 employees (part-time or full-time), including any independent contractors, of the covered entity or its affiliates located in New York state or responsible for business of the covered entity, or
- less than $5 million in gross annual revenue in each of the last three fiscal years from New York business operations of the covered entity and its affiliates, or
- less than $10 million in year-end total assets, calculated in accordance with generally accepted accounting principles, including assets of all affiliates.
Under the proposed regulation the limited exemption applies to covered entities with:
- fewer than 20 employees (part-time or full-time) and independent contractors, of the covered entity or its affiliates located in New York state or responsible for business of the covered entity regarding of location, or
- less than $5 million in gross annual revenue in each of the last three fiscal years from business operations of the covered entity and its affiliates in New York, or
- less than $15 million in year-end total assets, calculated in accordance with generally accepted accounting principles, including assets of all affiliates.
The increase in both the number of employees and the year-end total assets should mean that many covered entities that do not qualify for the limited exemption now would if the proposal as currently written were to go into effect. The sections of the regulation to which the limited exemption applies remain unchanged.
Those that qualify for the limited exemption are exempt from some of the requirements of this regulation (Sections 500.04, 500.05, 500.06, 500.08, 500.10, 500.12, 500.14, 500.15 and 500.16 of this part). But all entities must comply with Sections 500.02, 500.03, 500.07, 500.09, 500.11, 500.13 and 500.17.
A second significant change is the creation of a new exemption that will impact many retired insurance agents. Under the proposed regulation, any individual insurance agent with an inactive license is totally exempt from the requirements of this regulation. An agent’s license becomes inactive when all certificates of appointment have been terminated by insurers.
No exemptions here
What about for those entities that do not qualify? (If you qualify for the limited exemption above the following sections of the regulation do not apply to you.)
There are several significant changes for non-exempted covered entities, especially for the biggest companies in the financial services industry.
Section 500.4—Chief information security officer. This addresses the requirement that all non-exempt entities have a Chief Information Security Officer. This section received several updates. CISOs now must have adequate independence and authority to ensure cyberrisks are appropriately managed. In addition, CISOs will be required to timely report to a covered entity’s senior governing board material cyber security issues. For those covered entities with a board of directors, the board (or an appropriate committee) is charged with ensuring that the covered entity’s executive management has developed and implemented an information security program. Related to the CISO is a change in Section 500.8, which would require the CISO to annually review and update the procedures used to ensure the secure development of in-house applications as well the procedures used for testing the security of applications developed by third-parties.
Section 500.5—Penetration testing and vulnerability assessments. Under the amendments, penetration testing is required to be performed annually by a qualified independent party. In addition, regular vulnerability assessments are required. Any gaps that are discovered must be documented and reported to the senior management and governing body of the covered entity.
Section 500.8—Application security. Related to the CISO (Section 500.4) is a change in Section 500.8, which would require the CISO to annually review and update the procedures a covered entity uses to ensure the secure development of in-house applications as well the procedures used for testing the security of applications developed by third-parties. The current regulation requires review periodically.
Section 500.12—Multi-factor authentication. Multi-factor authentication has been an area of focus for the DFS. So, it is no surprise that Section 500.12, which applies to MFA, has been updated. Under the amendments, MFA is required for any remote access to any of covered entity’s information system from which non-public information is accessible. MFA also will be required for privileged accounts, expect for service accounts that prohibit interactive log as long as reasonably equivalent security is used.
Section 500.14—Training and monitoring. The proposed regulation increases the amount of training and monitoring a covered entity is required. Under Section 500.14, covered entities must now monitor and filter emails to block malicious content and provide regular cyber security training to employees, including training on phishing.
Section 500.15—Encryption of nonpublic information. Covered entities will be required encrypt non-public data when it is both at rest (i.e., sitting in a server) and in-transit (i.e., emailed). The encryption standards used must meet industry standards. Any covered entity that determines encrypting data at-rest infeasible is required to have its CISO review the feasibility of encryption on an annual basis.
Section 500.16—Operational resilience. This section, which has been renamed, adds a robust new requirement. Now non-exempt entities will be required to develop business continuity and disaster recovery plans. The plan is supposed to be designed to ensure the covered entity can continue operations in the face of a disaster. Under the proposed amendments, a BCDR must include myriad information including the identity of documents, data, facilities, infrastructure and personnel that are essential to continue operations as well as the personnel responsible for implementing the BCDR. Covered entities would be required to share copies of the BCDR will any relevant employees and provide training for those that are responsible for implementing the BCDR.
A new class of companies
The proposed updates to the New York cyber security requirements would create a new class of Covered entity–Class A companies. Class A companies would be defined as covered entities with either more than 2,000 employee, or over $1 billion in gross annual revenue based on the average over the previous three fiscal years. Employees and revenue from all affiliate operations would be included for the purposes of determining if a covered entity must comply with the additional requirements of a Class A company under the updated regulation.
Class A companies already must comply with the requirements of covered entities under the cyber security regulation. The updates to the regulation for non-exempt covered entities would also apply to them. In addition to these requirements, Class A companies also would be required to:
- Conduct an independent audit of their cyber security program at least once a year. The auditors may be internal or external, but they would need to be free to make their own decisions independent of the covered entity, its owners, or other employees.
- Conduct weekly vulnerability testing with systematic scans or reviews in addition to penetration testing at least annually.
- Monitor privileged access activity, implement an automated method of blocking commonly used passwords, and implement a password vaulting solution for privileged accounts. (Password vaulting means storing the passwords for privileged accounts in a secure password vault separate from the account information for other users). The CISO may approve alternatives to password vaulting and automated password blocking if the entity uses equally or more secure alternatives.
- Conduct a risk assessment by external experts at least once every three years.
- Implement an endpoint detection and response solution to monitor anomalous activity, including lateral movement; and a solution that centralizes logging and security event alerting. The CISO may approve alternatives in writing if reasonably equivalent or more secure.
The proposed regulation does not include a requirement that Class A companies formally notify or file with the DFS their status as such a company.
Watch out for enforcement
Section 500.20, which deals with enforcement, has been beefed up. The current regulation is brief on enforcement, stating only the superintendent has the authority to enforce the regulation. The proposed amendments get much more explicit. Two new subsections have been added.
One deals with violations and the other penalties. Under the proposed amendments, a failure to prevent authorized access to non-public violation due to noncompliance with any section of the regulation would be violation. The second notes that failure to comply with any 24-hour notice provisions would be considered a violation.
In addressing penalties, the proposed amendments contain a list of factors that the superintendent may consider when issue penalties. That list includes the good faith of the entity, whether violations were intentional or inadvertent, as well as any history of prior violations, among other factors.