Last week, amendments to the New York Department of Financial Services (“DFS”) cybersecurity regulations took effect. Codified at 23 NYCRR 500 (“Part 500”), these cybersecurity regulations broadly apply to companies that offer financial services or insurance products in New York state. Part 500 is highly prescriptive, and DFS-licensed entities, including banks, should proactively take steps to review and establish compliance with the new requirements, particularly given DFS history of aggressive enforcement of its cybersecurity regulations.
Highlights of the amendments to the Part 500 cybersecurity regulations include the following:
Enhanced Governance Requirements: Consistent with recent efforts by the Securities and Exchange Commission, Part 500 has intensified cyber governance requirements for covered entities. Among other things, Chief Information Security Officers (“CISOs”) are now required to report any significant cybersecurity event or change to the cybersecurity program to the board of directors. In addition, boards of covered entities are obligated to have sufficient cybersecurity-related expertise, which may include the use of advisors, and must exercise oversight over the development, implementation and maintenance of the entity’s cybersecurity program, including approving all written policies at least annually.
Multi-Factor Authentication (MFA) Requirements: Although Part 500 further tightens prescriptive security requirements in area number of areas, covered entities should pay particular attention to the updated MFA requirements, given DFS’ historical focus of extracting multi-million dollar settlements for failure to comply with that requirement. Previously, MFA implementation was only required for remote access to a covered entity’s network. Covered entities are now expected to implement MFA to allow any user to access its information systems, with a limited exception for qualifying small companies, which are only required to implement MFA for remote access to the company’s systems, third-party applications that contain the company’s non-public information, and privileged accounts. Companies can avoid the MFA requirement if the CISO annually certifies the implementation of reasonably equivalent or more secure compensating controls.
Ransomware and Digital Extortion Focus. Seizing on the dramatic increase in ransomware attacks over the past several years and regulatory concern over payments to the criminal ecosystem, Part 500 imposes an array of new requirements regarding ransomware and digital extortion incidents, including:
- Backup Requirements: In order to promote resiliency of information systems in the wake of ransomware attacks, covered entities are now obligated to maintain backups of systems necessary to restore material operations, and are required to conduct annual tests regarding their ability to restore their systems from backups.
- Ransomware/Cyber Extortion Reporting Requirements: Part 500 has historically required notification to DFS of data incidents that either (1) have a material impact on the covered entity’s operations or (2) in instances in which the covered entity is otherwise required to report the incident to another regulator. The DFS amendments have added a new notification trigger, where a data incident results in the deployment of ransomware within a material part of the covered entity’s information systems. Covered entities are further required to inform DFS within 24 hours of making any payment to a threat actor, and must follow up within 30 days with a report detailing the reasons that payment was necessary, a description of the alternatives to payment considered, all diligence performed to find alternatives to payment, and compliance with other regulations, specifically including the Office of Foreign Assets Control (OFAC). While these requirements do not outlaw payments to threat actors, they significantly raise the stakes for a company that seeks to pay a threat actor by requiring the company to engage in robust, well-documented diligence, particularly surrounding sanctions issues. Further, companies that are contemplating threat actor payments should consider whether the report to DFS would imply a violation of the new Part 500 requirements related to creating available, robust backup systems to restore operations.
Tightened Certification Requirements: Part 500 historically required covered entities to certify compliance on an annual basis but did not provide an alternative option for companies that were not in a position to fully certify compliance. The amendments now make clear that all covered entities are required to either certify compliance or, in the alternative, submit a written acknowledgment that the entity was not in material compliance with all requirements. Any such acknowledgement will be required to identify gaps and provides a remediation timeline. In addition, certifications are required to be signed by both the CISO and the covered entity’s highest-ranking executive. Companies need to pay careful attention to auditing compliance with Part 500, as perceived false or misleading statements in these filings can be used by DFS as the basis for an enforcement action. Further, these certifications increase the risks for signing executives as enforcement authorities are increasingly focused on enforcement actions against individuals related to cybersecurity issues, such as the recent SEC action against SolarWinds executives.
Expanded Obligations for New “Class A” Companies: DFS has also created a new class of large covered entities referred to as “Class A” companies, which are defined as companies with: (a) at least $20 million in gross annual revenue in each of the past two fiscal years in New York State; and (b) either more than 2,000 employees or $1 billion in gross annual revenue for the entity and its affiliates anywhere in the world. Qualifying companies are required to design and conduct independent audits of their cybersecurity program, implement privileged access management solutions, an automated method for blocking commonly used passwords for all accounts, endpoint detection and response solutions to monitor anomalous activity, and centralize logging and security event alerting.
Conclusion. The expanded Part 500 requirements signals an intent by DFS to continue its history of aggressive enforcement of cybersecurity requirements across the wide range of companies that it supervises. Covered entities should pay close attention to the new governance and technical control requirements, and take significant care with compliance certifications in order to minimize the risk of liability to both the covered entities and their certifying officers.