On July 29, 2022, the New York Department of Financial Services (NYDFS) provided several potential enhancements to the existing Part 500 Cybersecurity Rules. The Draft Amendments can be divided into six categories: Assessments, Technical Requirements, Governance, Obligations for Larger Companies, Notifications, and Penalties.
Assessments
The Draft Amendments expand the current definition of Risk Assessment to ensure that they are unique to a specific organization:
- The process of identifying cybersecurity risks to organizational operations (including mission, functions, image, and reputation), assets, individuals, customers, other organizations, and critical infrastructure resulting from the operation of an information system.
- Risk assessments must consider the specific circumstances of the covered entity, including its size, services, customers, vendors, and their locations. Risk assessments incorporate threat and vulnerability analyses, and consider mitigations provided by security controls planned or in place.
- Risk assessments must be updated annually, and an impact assessment conducted whenever there is a change to the entity’s cyber risk (e.g., as a result of business/technology change).
In addition, organizations must conduct:
- Regular vulnerability assessments,
- Annual penetration testing of information systems by a qualified independent party based on relevant identified risks in the risk assessment. Gaps found in testing must be reported to the senior governing body and senior management.
Technical Requirements
Amendments to access controls state that organizations must:
- limit the number of privileged accounts and limit the access functions of privileged accounts1 to only those necessary to perform the user’s job,
- limit the use of privileged accounts to only when performing functions requiring the use of such access,
- periodically review all user access privileges and remove accounts and access that are no longer necessary,
- disable or securely configure all protocols that permit remote control of devices,
- ensure strong, unique passwords are used.
MFA must be used for:
- remote access to the network and enterprise and third-party applications from which nonpublic information is accessible,
- all privileged accounts, except for service accounts that prohibit interactive log in and have the CISO’s written approval of compensating controls.
- *NYDFS has removed text messages on mobile phones as a valid MFA method.
All organizations must have written policies and procedures for asset inventory that tracks key information including the owner, location, classification or sensitivity, support expiration date, and recovery time requirements. This encompasses all information systems and their components such as hardware, operating systems, applications, infrastructure devices, APIs, and cloud services.
Organizations must also:
- monitor and filter emails to block malicious content from reaching authorized users.
- conduct phishing exercises and simulations when appropriate.
- maintain backups that are isolated from network connections.
Governance
- Annual approval of the company’s cybersecurity policies by the organization’s senior governing body.2
- Documented procedures for implementing policies. Policies must address systems end of life management, remote access and vulnerability and patch management.
- The CISO (or a qualified individual designated to oversee the implementation of the cybersecurity program) must have adequate independence and authority to ensure cybersecurity risks are appropriately managed.
- In the annual cyber report to the senior governing body, the CISO must include remediation plans for identified inadequacies, updates to the risk assessment, and major cyber events.
- The board must require management to maintain the organization’s information security program. They should have or be advised by persons with sufficient expertise and knowledge, to exercise effective oversight of cyber risk.
- A written policy requiring industry standard encryption that’s feasibility is reviewed by the CISO annually, along with alternative compensating controls if not feasible.
IRP/BCP/DR:
Incident response plans must address recover from backups and different types of cybersecurity events, including ransomware incidents.
All BCP/DR plans must:
- identify documents, data, facilities, infrastructure, and personnel (internal/external) essential to continued operations,
- identify the supervisory personnel responsible for implementing the plan,
- include a plan to communicate with essential persons in the event of any disruption,
- include procedures for the maintenance of back-up facilities and alternative staffing,
- include procedures for the backup of documents and data essential to operations and storing of the information offsite.
Organizations must:
- distribute copies of the plans, and any revisions to them, to all relevant employees and maintain copies of the plans at one or more accessible offsite locations.
- provide relevant training to all employees responsible for implementing the plans regarding their roles and responsibilities.
- periodically test its incident response plan with all staff critical to the response, including senior officers and the CEO.
Obligations for Larger Companies
“Class A” companies are defined as those with over 2,000 employees or over 1 billion in gross annual revenue averaged over the last three fiscal years. These companies must:
- Conduct an independent audit of their cybersecurity programs at least annually.3
- Use external experts to conduct a risk assessment at least once every three years and systematic scans or reviews at least weekly.
- Monitor privileged access activity by implementing a password vaulting solution for privileged accounts 2 and an automated method of blocking commonly used passwords.
- Implement an endpoint detection and response solution to monitor anomalous activity, including but not limited to lateral movement; and a solution that centralizes logging and security event alerting.
Notifications
- NYDFS must be notified within 72 hours of any unauthorized access to privileged accounts or deployment of ransomware.
- A 24-hour notification time period for extortion payment of a cybersecurity incident;
- A 30 day notification deadline for a written description of the reasons payment was necessary, a description of alternatives considered, and all diligence performed to ensure compliance with applicable regulations.
- The annual certification of compliance must be signed by the CEO and the CISO and electronically submitted by April 15. Documentation of remedial efforts planned with a timeline must be provided if not fully compliant.
Penalties
Violations include:
- the failure to secure or prevent unauthorized access to nonpublic information due to noncompliance with any sections above.
- the failure to comply for any 24-hour period with any section.
- Commission of a single act prohibited in any section.
Mitigating factors for penalty assessment include cooperation, good faith, intentionality, history of prior violations, harm to customers, external penalties, number of violations, etc.
Exemptions and Timelines
For exemption from some parts of these amendments, your firm must have fewer than 20 employees, gross annual revenue of less than 5 million over the last three fiscal years, and less than 15 million in year-end total assets. You must file a Notice of Exemption.
Organizations should closely review the Draft Amendments and consider providing feedback during the pre-proposal comments period (ending August 8, 2022). In the coming weeks, the official proposed amendments will be published, followed by a 60-day comment period.
Organizations have 180 days from the effective date of the amendments to comply with the new requirements.
- Privileged account means any authorized user account or service account that can be used to: (1) perform security-relevant functions that ordinary users are not authorized to perform, including the ability to add, change, or remove other accounts, or make configuration changes to operating systems or applications to make them more or less secure; or (2) affect a material change to the technical or business operations of the covered entity.
- Senior governing body means the covered entity’s board of directors (or an appropriate committee thereof) or equivalent governing body or, if neither of those exist, the senior officer of the covered entity responsible for the covered entity’s cybersecurity program.
- An independent audit is defined as an audit conducted by auditors (internal or external) free to make their decisions, not influenced by the entities being audited or by its owners, managers, and employees.