On November 1, 2023, the New York Department of Financial Services (NYDFS) finalized its proposed cybersecurity rules, which build upon existing NYDFS cybersecurity requirements in the Part 500 Cybersecurity Rules.
New class of covered entities
The updated rules finalize a new class of financial services companies subject to NYDFS’ regulations that will have heightened requirements. “Class A” companies must have at least $20 million in gross annual revenue in each of the last two fiscal years, and either more than 2,000 employees or more than $1 billion in gross annual revenue in each of the last two fiscal years from the business and its affiliates.
Each class A company will be required to “design and conduct independent audits of its cybersecurity program based on its risk assessment,” monitor its privileged access activity, deploy a method for blocking commonly used passwords, implement endpoint detection, and have a logging and security event alerting function.
In addition to the requirements for class A companies, the new rules lay out new reporting and technical and organizational requirements that apply to all covered entities, as outlined below.
Cybersecurity incident reporting
Expanded reporting requirements include not just where the covered entity is directly subject to a cybersecurity incident, but also cases in which cybersecurity incidents at its affiliates or third-party service providers:
- Impact the covered entity and require it to notify any government body, self-regulatory agency, or other supervisory body.
- Have a reasonable likelihood of materially harming any material part of the normal operation(s) of the covered entity.
- Result in the deployment of ransomware within a material part of the covered entity’s information systems.
Each covered entity must report any incident that it experiences, or that impacts its affiliates or third-party service providers, if that incident meets any of the three criteria above.
Extortion payment reporting
If the covered entity makes an extortion payment in connection with a cybersecurity event, the covered entity must notify NYDFS within 24 hours of making the payment. Additionally, within 30 days of the payment, the covered entity must provide “a written description of the reasons payment was necessary, a description of alternatives to payment considered, all diligence performed to find alternatives to payment and all diligence performed to ensure compliance with applicable rules and regulations including those of the Office of Foreign Assets Control.”
A covered entity is required to have a chief information security officer (CISO) or equivalent officer to oversee the covered entity’s cybersecurity program, including the above requirements. In addition:
- The CISO is required to report annually to the covered entity’s board or senior governing body.
- The CISO must “timely report to the senior governing body or senior officer(s) on material cybersecurity issues, such as significant cybersecurity events and significant changes to the covered entity’s cybersecurity program.”
- The board or senior governing body will exercise oversight of the company’s information security functions.
- A senior officer or the senior governing body of the covered entity must approve the written policies for the protection of the covered entity’s information systems and nonpublic information stored on those systems at least annually.
Additional security controls and policy requirements
In the event of a cybersecurity incident, a covered entity has an ongoing obligation to provide NYDFS with material changes or new information. Additional specific security controls and policy requirements include:
- Multifactor authentication for any individual accessing any information systems of a covered entity (unless the covered entity’s CISO approves an equally or more secure method).
- Written policies and procedures for asset inventory of the covered entity’s information system.
- Implementation of risk-based controls designed to protect against malicious code and block malicious content.
- Cybersecurity training at least once per year that includes social engineering training.
- An industry standard, written encryption policy.
- A vulnerability management policy and procedure for timely remediation of vulnerabilities based on the risk they pose to the covered entity.
- An incident response plan that contains proactive measures to investigate and mitigate cybersecurity events.
- A business continuity and disaster recovery plan (per the NYDFS rules, which describe specific required components for this plan).
Finally, the covered entity’s CISO and its highest-ranking executive must certify material compliance with the rules annually. While certification of compliance has been a requirement of the NYDFS rules previously, the amended rules require the certification to come from the CISO or equivalent officer – and covered entities must now document any areas of the rules with which they are not in material compliance. Covered entities also must set forth a remediation plan and timeline for areas of noncompliance in the annual certification.
When do the new rules take effect?
The rules will become effective in waves, allowing covered entities lead time to comply with the new requirements. Within 30 days of the effective date (December 1, 2023), covered entities will be required to comply with the incident reporting obligations.
Within one year of the effective date (November 1, 2024), covered entities will be required to comply with obligations related to CISO and senior governing body requirements, encryption policies, and incident response and business continuity requirements. Within 18 months, covered entities will be required to comply with most of the rules’ updated technical requirements, with the exception of the multifactor authentication requirement and asset management policies and procedures, which are effective two years from the rules’ effective date.
The NYDFS rules generally align with heightened technical and organizational requirements from state and federal regulators for cybersecurity functions and oversight by CISOs and company boards. Against the backdrop of the forthcoming effective date of the SEC’s cybersecurity disclosure rules in December and the recent SEC enforcement action against SolarWinds in relation to its cybersecurity practices, the new NYDFS rules are the latest requirements that companies should consider when developing and updating their information security programs.