NYDFS Overhauls Cybersecurity Rules for State-Regulated Financial Services Firms
The New York Department of Financial Services (“NYDFS”) has released a comprehensive revision of the cybersecurity requirements for state-regulated financial services firms, including banks and insurance companies. The new rules, which will take effect in stages over the next two years, include heightened cybersecurity requirements for larger institutions that are identified as “class A” companies and provide limited exemptions for smaller entities from many of the more onerous requirements. The updated rules, which make final a proposed rule released at the end of June 2023, represent the most significant changes to the NYDFS rules since their initial adoption in 2017.
The rules generally address the requirements for “covered entities” (see below) to safeguard against the occurrence of a “cybersecurity event” that affects an entity’s information systems. A “cybersecurity event” is any act or attempt, whether successful or unsuccessful, to gain unauthorized access to an information system or information stored on the system. The rules add a new definition of “cybersecurity incident” to refine the requirements for the entity’s response to a specific cybersecurity event, including remediation, root cause analysis and reporting to NYDFS. A “cybersecurity incident” is a cybersecurity event that (i) requires notification to any governmental or supervisory body; (ii) has a reasonable likelihood of materially harming any material part of the normal operations of a covered entity; or (iii) results in the deployment of ransomware within a material part of a covered entity’s information systems.
General Rules for Covered Entities
Absent a specific limited exemption (see below), all “covered entities” are subject to the new rules. A “covered entity includes “any person operating or required to operate license, registration, certificate, permit, accreditation or similar authorization” under state banking, insurance or financial services law and without regard to whether other governmental agencies regulate the covered entity.
Under the new rules, the following requirements will apply to all covered entities that are not eligible for any of the limited exemptions:
- Implementation of a Cybersecurity Program
Under the prior rules, covered entities were required to maintain a cybersecurity program that addressed core cybersecurity functions in the context of the entity’s risk assessment. A cybersecurity program identifies and assesses internal and external risk, creates a defensive infrastructure to detect and block unauthorized access, and establishes a response protocol to cybersecurity incidents that mitigate adverse effects and describes a path to recovery and restoration of normal operations. The new rules retain this requirement for covered institutions but expand coverage to include consideration of nonpublic information maintained on the covered institution’s systems. In addition, a covered entity that relies on a cybersecurity program maintained by an affiliate is required to make the contents of the affiliate program available to examiners.
- Adoption of a Cybersecurity Policy
The new rules retain a requirement that covered institutions adopt a formal cybersecurity policy covering a broad range of cybersecurity concerns, but the policy will now be subject to annual review and approval by a senior officer or the board of directors. In addition, the policy must identify a “senior governing body” for the protection of information systems and nonpublic information. The new rules add new areas of coverage for the policy, including security awareness and training, incident response notification, and vulnerability management. The senior governing body will generally be the board or a board committee but institutions that lack a formal board structure may designate the senior officer or officers who are responsible for the entity’s cybersecurity program.
- Identification and Functions of the “Senior Governing Body”
The new rules set detailed expectations for the board or board committee identified as the “senior governing body” for cybersecurity oversight. The entity must ensure that the senior governing body has a sufficient understanding of cybersecurity matters (including through the use of advisors). In addition, the senior governing body must (i) ensure that management implements and maintains a cybersecurity program; (ii) receive and review management reports on cybersecurity matters; and (iii) ensure that sufficient resources are allocated to the cybersecurity program. The entity’s chief information security officer (“CISO”) must report to the senior governing body at least annually on the cybersecurity program, including consideration of material cybersecurity risks, the overall effectiveness of the cybersecurity program, material cybersecurity events that occurred during the reporting period, and plans for remediating material inadequacies in the program.
- Vulnerability Management
Under the new rules, each covered entity must have written policies and procedures relating to vulnerability management to assess the effectiveness of the entity’s cybersecurity program. A compliant vulnerability management program must, at a minimum, provide for annual penetration testing of internal and external information system boundaries by a qualified internal or external party. In addition, the program must provide for automated scans of information systems (and manual review of systems not covered by an automated scan) to discover, analyze, and report vulnerabilities. The frequency of the vulnerability review will be determined by the entity’s risk assessment, but a vulnerability review is required promptly after the introduction of material system changes. The policy must also provide for timely remediation of vulnerabilities with prioritization based on the risk posed by any specific vulnerability.
- System Access Management
The new rules mandate the use of multi-factor authentication for any individual who accesses the information systems of a covered entity, unless a limited exemption applies (see below). This requirement also extends to authentication of remote access to third-party applications, including cloud-based applications, if nonpublic information is accessible.
- Information System Inventory
Each covered entity is required to maintain a “complete, accurate and documented” inventory of information systems. The inventory must be maintained in accordance with written policies and procedures that provide a method to track key information for each asset and that specify the frequency for updates to the inventory.
- Protection Against Malicious Code
Under the prior rules, covered entities were required to monitor the activity of authorized users and detected unauthorized access to, or tampering with, nonpublic information. The amendment adds an additional requirement for covered entities to implement risk-based controls to protect against malicious code, including controls that monitor and filter web traffic and electronic mail to block malicious content.
- Encryption of Nonpublic Information
The new rules expand upon the earlier version by required covered entities to adopt a written policy regarding encryption of nonpublic information that meets industry standards. If a covered entity determines that encryption is not feasible, effective alternative means may be used, however, the CISO must review and approve such alternative means and review the feasibility of encryption on an annual basis.
- Incident Response
Each covered entity must adopt an incident response plan that reflects a proactive approach to the investigation and mitigation of cybersecurity events. The plan must also outline the entity’s plan for operational resilience in the fact of a cybersecurity event, including a plan for incident response, business continuity, and disaster recovery. The plan must identify the response to a variety of cybersecurity events, including ransomware incidents. In addition, the plan must include a protocol for the preparation of a root cause analysis of a cybersecurity event, including identification of the cause of the event, the business impact and a remediation plan.
The rules also include detailed requirements for an entity’s business continuity and disaster recovery plan. At a minimum, such plans much (i) identify the documents, data, facilities, infrastructure, services, personnel and competencies essential to continued operations; (ii) include procedures for communication with essential personnel; (iii) include procedures for the recovery of critical data and information systems; (iv) include procedures for backing up essential information with sufficient frequency; and (iv) identify any third parties that are necessary for continued operations. The rules require annual testing of the plan, and the implementation of a training program for personnel covered by the plan.
- NYDFS Notification and Reporting
A covered entity must provide NYDFS with prompt electronic notice of a cybersecurity incident, but in any event not later than 72 hours after determining that an incident has occurred. Once reported, a covered entity has an ongoing obligation to update the NYDFS on any material changes or new information previously unavailable.
Separately, each covered entity must provide NYDFS with an annual certification of material compliance with the cybersecurity rules. The certification must be based on data and documentation that is sufficient for the NYDFS to determine material compliance. In addition, a covered entity that is out of compliance with must submit a written acknowledgement of noncompliance that specifies the areas of noncompliance and either a remediation timeline or confirmation of remediation.
If a covered entity makes a ransom payment in connection with a cybersecurity incident, the payment must be reported to NYDFS within 24 hours and, within 30 days of the payment, the entity must file a written description of the reasons why the payment was necessary, a description of alternatives considered prior to making the payment, and the due diligence performed with respect to such alternatives and to ensure compliance with OFAC rules.
Special Rules for “Class A” Entities
The amended rules create a special class of covered entities referred to as “Class A” entities. A “Class A" entity is defined as a covered entity (i) with at least $20 million in gross annual revenue in each of the last two fiscal years from all business operations and the business operations of affiliates in New York state and (ii) that has (x) either 2,000 employees on average (in all affiliates regardless of location) over the last two fiscal years or (y) over $1 billion in gross annual revenue in each of the two fiscal years from all business operations of the covered entity (and all affiliates regardless of location). The rule specifies that, when considering affiliates, the calculation of employes and gross annual revenue only includes affiliates that share information, cybersecurity resources, or all or any part of the covered entity’s cybersecurity program.
The following additional requirements apply to a Class A entity:
- Class A companies must design and conduct independent audits of its cybersecurity program based on the entity’s risk assessments. The audit may be conducted by the entity’s internal audit function or by an external auditor.
- Class A companies must monitor privileged access activity through the implementation of a privileged access management solution.
- Class A companies must adopt an automated method of blocking commonly used passwords for all accounts on the information systems of a Class A company.However, if such blocking is deemed infeasible, the entity’s CISO must separately document the reasons why such blocking is infeasible and the use of “reasonably equivalent or more secure compensating controls.”
- Class A companies must implement, unless approved by the CISO in writing, the use of an endpoint detection and response solution to monitor anomalous activity and a solution that centralizes logging and security event alerts.
The amendment creates a series of limited exemptions for certain covered entities that qualify as smaller companies. In general, the exemptions are available for covered entities with (i) fewer than 20 employees (and independent contractors); (ii) less than $7.5 million in gross annual revenue in each of the last three fiscal years from all business operations and the entity’s business operations in New York; or (iii) less than $15 million in year-end total assets, calculated in accordance with GAAP (and including the assets of all affiliates). The exemptions apply to several of the more burdensome requirements including, among other things, (i) the governance requirements (including the designation of a CISO); (ii) the adoption of a formal cybersecurity program; (iii) the implementation of encryption protocols; and (iii) the development of a formal incident response plan.
Enforcement of the Cybersecurity Rules
NYDFS has adopted a comprehensive enforcement scheme for the cybersecurity rules. The rules specify that the commission of a “single act” prohibited under the rules or the failure to satisfy an obligation under the rules is deemed a violation of the rules, including, without limitation, (i) a failure to secure or prevent unauthorized access to nonpublic information due to noncompliance with specific requirements of the rules or (ii) a material failure to comply with the rules for any 24-hour period. NYDFS will assess penalties based on (i) a covered entity’s cooperation with an investigation into noncompliance; (ii) good faith of the entity, (iii) whether the violation resulted from unintentional conduct or whether the violation is a consequence of reckless, intentional, or deliberate conduct; (iv) whether the violation related to a failure to remediate prior examination or similar supervisory matters; (v) any history of prior violations; (vi) whether the violation was an isolated incident or part of pattern of repeated violations; (vii) whether the entity provided false or misleading information to NYDFS; (viii) the extent of harm to consumers; (ix) whether the entity provided accurate and timely disclosures to affected consumers; (x) the gravity of the violations; (xi) the number of violations; (xii) the extent of participation in the violations by the senior governing body; (xiii) whether any other regulatory body imposes a sanction; (xiv) the financial resources of the covered entity; and (xv) whether the entity followed policies and procedures that are generally consistent with nationally recognized cybersecurity frameworks.
Timeline for Implementation
The new DFS cybersecurity requirements will become effective in stages over the next two years:
- December 1, 2023 Cybersecurity event notification and annual compliance certification
- April 29, 2024 Overall compliance deadline for general requirements
- November 1, 2024 Incident response planning; business continuity and disaster recovery plan; governance; and encryption requirements
- May 1, 2025Vulnerability scanning, password controls, and enhanced monitoring requirements for Class A entities
- November 1, 2025 Asset inventory and multi-factor authentication requirements
The amended cybersecurity rules represent a heavy, and expensive, lift for many NYDFS-regulated financial services firms. The limited scope of the exemptions means that many relatively small entities will face the difficult task of implementing extensive and often complicated cybersecurity protocols and devoting substantial resources to compliance. The amended NYDFS rules are just the latest example of the regulatory focus on cybersecurity matters, coming on the heels of the Securities and Exchange Commission’s new rules governing disclosure of cybersecurity risks and cybersecurity events, which generally take effect next year. The New York rules, which were billed by the state’s governor as a “nation-leading” cybersecurity regulation, will certainly exert considerable influence as other regulators develop or expand their approach to cybersecurity regulation.
On the operational level, it is imperative that NYDFS-regulated companies familiarize themselves with the rules and the implementation timeline. It will take time to develop the governance structure, policies and procedures required by the new rules and to either roll out the technology necessary to comply with the rules or bring existing technology up to the level necessary for compliance. In addition, covered entities must carefully evaluate the qualifications of their information security personnel to ensure that the necessary knowledge base is in place to deal with the enhanced regulatory complexities. Finally, it is critical that board members have or gain the knowledge necessary to provide oversight of an institution’s cybersecurity event program. The effort to comply with the new rules will be multi-faceted and complex. We will be working with our New York clients to assist with the compliance tasks ahead.
While we are pleased to have you contact us by telephone, surface mail, electronic mail, or by facsimile transmission, contacting Kilpatrick Townsend & Stockton LLP or any of its attorneys does not create an attorney-client relationship. The formation of an attorney-client relationship requires consideration of multiple factors, including possible conflicts of interest. An attorney-client relationship is formed only when both you and the Firm have agreed to proceed with a defined engagement.
DO NOT CONVEY TO US ANY INFORMATION YOU REGARD AS CONFIDENTIAL UNTIL A FORMAL CLIENT-ATTORNEY RELATIONSHIP HAS BEEN ESTABLISHED.
If you do convey information, you recognize that we may review and disclose the information, and you agree that even if you regard the information as highly confidential and even if it is transmitted in a good faith effort to retain us, such a review does not preclude us from representing another client directly adverse to you, even in a matter where that information could be used against you.