The New York State Department of Financial Services released the official proposed second amendment to the cybersecurity regulation (23 NYCRR 500). This follows an unofficial draft of the amendments that circulated in August. The amendment would make multi-factor authentication mandatory for all covered entities, increase the thresholds for entities to qualify for the limited exemption, and create a category for larger corporations, Class A entities.
The proposed amendment would also require at least an annual review of cyber security policies and the entity’s risk assessment, a more defined period than the current regulation’s “periodically” review requirement. This is an overview of the changes. PIA also has a section-by-section breakdown with all the changes to the regulation and will continue to update members as the regulation goes through the rulemaking process and into effect.
Changes to the exemption
The proposed amendment would expand the limited exemption to a covered entity with fewer than 20 total employees (currently 10 employees); less than $5 million in gross annual revenue in each of the last three fiscal years (no substantive change); or less than $15 million in year-end total assets (currently less than $10 million). The entities are exempt from specific requirements as smaller businesses. Entities must certify they qualify for the limited exemption, which remains unchanged in the proposed amendments. If an entity no longer qualifies for the exemption, then the proposed amendment would reduce the time to comply to 120 days from the current 180 days.
All covered entities that must comply with the regulation, including businesses that qualify for the limited exemption, would be required to have multi-factor authentication for remote access to information systems, access to third-party applications, such as cloud storage, and all privileged accounts. This reflects guidance issued by DFS in 2021 that emphasized how multi-factor authentication greatly helps protect user accounts and its wide availability since the initial regulation went into effect.
The proposed amendment would also add exemptions for inactive agents and brokers who do not place a policy for at least a year. The draft proposal previously did not include an exemption for inactive brokers and PIANY advocated for the inclusion, working with other industry groups to persuade the department with language that would address their concerns.
Changes to cyber security programs and incident responses
The proposed amendment would require at least annual reviews of a covered entity’s cyber security policy and risk assessment, a more defined term than the current requirement of periodical reviews. The proposal would add several areas that the cyber security policies and procedures should address, including data retention, device removal, remote access, response notification, and vulnerability management. The expansion of vulnerability management is further addressed in a greatly expanded section that elaborates of the penetration and vulnerability testing that would be required with timely notification of new vulnerabilities and consideration toward timely remediation. The proposed amendment would also increase the requirements related to asset management and inventory to increase consideration and management of devices with access to information systems.
To emphasize security through the design of internal systems, the proposed regulation would require all covered entities to take increased measures to limit the number of privileged accounts and review user access privileges annually. The amended regulation would require entities to limit user privileges to access necessary for their job, a measure that could greatly limit the damage of a cybersecurity event.
In addition to the continued emphasis on protecting nonpublic consumer information, the proposed amendment would greatly expand on business recovery and operations. Nonexempt entities would be required to develop a business continuity and disaster recovery plan with a focus on the business operations of the entity. Compliance with this section could better equip businesses with operating after a cyberevent or natural disaster and ensure protected back-ups of data from clients and the entity.
The proposal would amend the training requirements for nonexempt entities to now require employee training at least annually. It would continue to need to reflect the risk assessment and the amendment would also require social engineering exercises, reflecting the number of cyber events related to subtle email and texting scams. Training at least once a year would also be required specifically for staff, senior officers, and high-ranking executives critical to the business continuity and disaster recovery plan.
Certification and reporting
The annual certification by April 15th of cyber security compliance for the previous year would remain in the regulation and continue to apply to all covered entities, including those who qualify for the limited exemption. If a covered entity did not comply with the cyber security regulation, then the proposal would add a requirement that the entity file written acknowledgement of noncompliance with the DFS. The amendment would specify that written certification of compliance be submitted electronically and must be signed by the entity’s highest-ranking executive and chief information security officer. If an entity does not have a CISO, then the senior officer responsible for the cyber security program would need to sign the certification of compliance.
In the event of a specified cyber security event, the regulation would continue to require notice to the DFS as soon as possible and no more than 72 hours after the determination of the event, including cyber security events at a third-party service provider. The amendment would specify that this notice must be done via the electronic form on the DFS website and adds two additional cybersecurity events where notice is required—if an unauthorized user gains access to a privileged account or a cyber security event that results in the deployment of ransomware within a material part of the entity’s information system. The proposed amendment also adds a required follow-up notice within 90 days of the reported cyber security event that would report on the investigation into the event with entities required to continue to notify the DFS with supplemental information as necessary.
Following the dramatic rise in ransomware attacks since the regulation first went into effect, the amended regulation would also require notice to the DFS of any extortion payments within 24 hours of making the payment. The first notice would only need to report the payment with a written description of why the entity made the payment, considered alternatives, diligence in pursuing alternatives, and all diligence regarding compliance with applicable rules and regulations required within 30 days of the extortion payment being made. The proposed amendment would also require an entity that made an extortion payment to comply with the cybersecurity event notice requirements as applicable.
Class A companies
The proposed amendment would create a new category of covered entities, Class A companies. Covered entities with at least $20 million in gross annual revenue in each of the last two fiscal years from business operations in New York state, including revenue generated by affiliates, would qualify as a Class A company only if they also have over 2,000 employees averaged over the last two fiscal years, including employees at affiliates; or they had over $1 billion in gross annual revenue in each of the last two fiscal years across all business operations, including affiliates and revenue from outside New York state and the United States. Any entity that has over $20 million in gross annual revenue but does not meet either of the other criteria would not be considered a Class A company.
Class A companies would have several additional requirements under the amended regulation to reflect the increased amount of data under their control and the increased resources to protect their data security systems. In addition to the risk assessment requirements for covered entities, Class A companies would need an annual independent audit of their cybersecurity program by a third-party with the freedom to make decisions independent of the company and a risk assessment by external experts at least once every three years. Class A companies would also have additional requirements for privileged user access, monitoring, and training.
Timeline for compliance
This proposed amendment to the regulation will not go into effect until it has been published in the Notice of Adoption in the State Register. Comments remain open until January 2023, meaning it cannot be published and go into effect until after the comments have been reviewed.
The proposed amendment includes a staggered timeline for specific sections to go into effect similar to the original regulation. Covered entities would have, at a minimum, 180 days to comply with all the changes except for the notice requirements to the DFS.
PIA will publish a more thorough timeline with the exact date when the regulation goes into effect.
Clare Irvine, Esq.
Clare Irvine, Esq., graduated from Fordham University School of Law and Arizona State University.