On November 1, the New York State Department of Financial Services (NYDFS) adopted comprehensive amendments to the Cybersecurity Regulations (known as Part 500). The draft amendments were first published in July 2022 and were finalized after three rounds of public comment. The amendments will become effective on December 1, 2023, and provide a “transition period” of up to 24 months from the date of publication for covered entities to comply with certain provisions.[1]
Tightening requirements for “Class A companies”
One of the biggest changes to Part 500 is the creation of a new class of covered entities called “Class A corporations.” A “covered entity” under the NYDFS is a person who operates or is required to operate under a license, registration, charter, permit, or similar authorization under the banking, insurance, and financial services laws of the State of New York. , partnership, or other business entity. Whether the covered entity is also regulated by other government agencies.
Under the proposed amendments, a “Class A company” would have gross annual revenues of more than $20 million for the past two years from business operations in New York, (1) have 2,000 or more employees worldwide, or (2 ) with annual gross revenues of over $1 billion worldwide. All three of these thresholds include affiliates of the covered entity.
Strict requirements for Class A companies include:
- Conduct an independent annual audit of your cybersecurity program based on your covered entity’s risk assessment.
- Implement a privileged access management solution to monitor privileged access activity by automatically blocking commonly used passwords.
- Implementing an endpoint detection and response solution to monitor and record potentially anomalous activities and security events
The Chief Information Security Officer (CISO) may approve the use of comparable or more secure alternatives to endpoint detection and response logging, but their management must be documented and reviewed annually.
Cybersecurity event and ransom payment notifications
Starting December 1, 2023, all covered businesses must notify NYDFS within 72 hours of a “cybersecurity event”:
- There is a reasonable possibility of materially harming a significant part of the normal operations of the covered entity or its affiliates.
- Requires covered entities to notify another government agency or other authority.or
- It involves the deployment of ransomware to the systems of the targeted organization or its affiliates.
“Cybersecurity Event” is defined as any act or attempt, whether successful or unsuccessful, aimed at gaining unauthorized access to, destruction of, or misuse of an information system or the information stored therein by a Covered Entity. Also includes systems of affiliated companies. NYDFS believes that: Any Deployment of ransomware within the systems of a covered entity or its affiliates A notifiable event, regardless of whether ransomware has had a significant impact.
Additionally, covered entities must notify NYDFS within 24 hours after making a ransom payment or other payment in connection with a cybersecurity event. Within 30 days thereafter, the covered entity must provide an explanation of why the payment was required, any alternatives considered, any due diligence the entity conducted to find payment alternatives, and ensure compliance with the sanctions list. You must also provide a written explanation of any workup you conducted to ensure that the Other regulations before payment.
Annual review of internal policies and risk assessments
Covered entities must update their internal risk assessments by April 29, 2024, and continue to do so at least annually or whenever operational or technology changes result in a material change to the enterprise’s cyber risks. is needed.
After updating the risk assessment, covered entities must also update their cybersecurity policies. This amendment adds the following to the existing list of topics that should be addressed in a cybersecurity policy:
- Data retention
- Management after end of useful life
- remote access control
- System and network monitoring
- Security awareness and training
- System and application security
- Incident notification
- Vulnerability management
The proposed amendments would also require all covered companies to update their cybersecurity policies at least annually starting April 29, 2024.
Senior governing body oversight
To strengthen cybersecurity oversight, the proposed amendments would replace the new term “senior governance body” with “the board of directors (or an appropriate committee thereof) or an equivalent governing body, or, if neither exists, the company’s senior “Officer or Officers”. A covered entity that is responsible for the covered entity’s cybersecurity program. ”
Starting April 29, 2024, senior governance bodies must approve all cybersecurity policies and procedures at least annually and must review all risk assessments obtained or conducted by management.
By November 1, 2024, the senior governing body must begin overseeing the covered entity’s cybersecurity risk management. The proposed amendments require senior governance bodies to, at a minimum,:
- Thoroughly understand cybersecurity-related matters and utilize advisors and experts for supervision as necessary.
- Requires the covered entity’s management or its designee to develop, implement, and maintain the covered entity’s cybersecurity program.
- Regularly receive and review management reports on cybersecurity issues.and
- Ensure that the covered entity’s management has allocated sufficient resources to implement and maintain an effective cybersecurity program.
New responsibilities of the Chief Information Security Officer
Section 500 already briefly mentions CISOs, but the proposed amendments add a definition of the role, stating that they are “responsible for overseeing and implementing a covered entity’s cybersecurity program and enforcing its cybersecurity policies. “A qualified individual”. The proposed amendments also list new duties for the CISO.
Previously, CISOs were required to submit annual cybersecurity reports; now, CISOs will now be required to submit a written report to senior management at least once a year. is now clear. The CISO’s annual report must include the covered entity’s cybersecurity program and material cybersecurity risks. Starting November 1, 2024, CISOs must update their annual reports to include plans to remediate critical cybersecurity deficiencies.
Additionally, beginning November 1, 2024, CISOs must provide timely updates to senior governing bodies on significant cybersecurity issues that occur, including significant cybersecurity events or significant changes to the covered entity’s cybersecurity program. need to do it. Finally, CISOs must implement a written data encryption policy that covers all non-public information at rest and in transit and meets industry standards. The CISO may approve alternative compensation controls when encryption is not possible, but such controls must be documented and reviewed at least annually.
asset inventory
All covered companies must have written policies and procedures in place by November 1, 2025, to maintain a complete asset inventory of their information systems. This inventory should track at least the following information for each asset:
- owner
- position
- Classification or sensitivity
- Support expiration date
- Recovery time objective
- Frequency required for inventory updates and validation
Business continuity and disaster recovery
While the existing Part 500 had sparse references to incident response plans, this amendment adds these incident response requirements and also creates specific obligations for business continuity and disaster recovery (BCDR) plans. By November 1, 2024, covered entities must maintain a BCDR plan designed to ensure the availability and functionality of the covered entity’s information systems and critical services, and , assets, and data must also be protected. These BCDR plans require at least the following:
- Identify documents, data, equipment, infrastructure, services, personnel, and capabilities essential to the covered entity’s business continuity
- Identify oversight personnel responsible for implementing each aspect of the BCDR plan
- Communicate with employees, trading partners, regulators, third-party service providers, disaster recovery experts, senior management, and other key personnel in the event of a cybersecurity-related disruption to the covered entity’s operations; Include a plan.People essential to recovering documents and data and getting back to work
- Include procedures for timely recovery of critical data and information systems and resumption of operations as soon as reasonably possible in the event of a disruption to normal business operations related to cybersecurity;
- include procedures for backing up or copying information essential to the covered entity’s operations with sufficient frequency and for storing such information off-site;
- Identifying third parties necessary for the continued operation of the covered entity’s information systems
Covered entities must also make a current copy of the BCDR plan accessible to all employees necessary to implement the plan during a cybersecurity event, and provide all such employees with a copy of the plan. They need to be trained on how to do it. Incident response and her BCDR plans should be tested at least annually. Finally, all covered businesses should maintain backups of the data needed to restore critical operations and test restore procedures at least once a year.
Penetration testing and automated scanning
By May 1, 2025, the proposed amendments would require covered entities to conduct penetration testing at least once a year from both inside and outside the perimeter of their information systems. The proposed amendments also require that covered entities’ information systems designed to discover, analyze, and report vulnerabilities be automatically scanned at a frequency determined by each entity’s risk assessment. A manual review must be performed for all systems that are not subject to automatic scans. The fix also calls for new policies and procedures designed to quickly identify new vulnerabilities and remediate them in a timely manner as they correlate with their underlying risk factors.
Access control and multi-factor authentication (MFA)
The proposed amendments list a number of new requirements regarding access control and password management, including requiring covered entities to follow the principle of least privilege, limiting the number of accounts with privileged access; This includes timely review and deletion of terminated credentials and maintaining a written password policy. Covered entities must implement these access and password controls by May 1, 2025.
The proposed amendments would also require covered entities to use MFA for anyone accessing their information systems. The CISO may approve the use of reasonably equivalent or safer alternatives to MFA as compensation controls, but those controls must be documented and reviewed annually.
Cyber security awareness training
While cybersecurity awareness training was already required under Part 500, the amendments now require covered entities to provide such training to employees at least once a year. The amendments also require cybersecurity training to specifically include social engineering starting April 29, 2024.
Compliance Certification
Covered entities must submit a signed statement by April 15, 2024, and annually thereafter, certifying that the entity was in material compliance with Part 500 during the prior year, or that the entity was not in compliance. You must provide written authorization to that effect. If you acknowledge noncompliance, you must identify the sections of Part 500 with which your company did not comply and provide a remediation schedule for compliance. All significant attestations of compliance, or written acknowledgments of non-compliance, must be made annually by the covered entity’s highest-ranking executive (e.g. CEO) and CISO (or, if no CISO exists, the next highest-ranking (responsible person) must both sign. for the company’s cybersecurity program).
[1] The proposed amendments would provide certain exceptions for small businesses, defined as covered entities with fewer than 20 employees, less than $7.5 million in annual gross revenue for the past three years, or less than $15 million at year-end. , and some deadlines will be extended. Total assets. Unless otherwise noted, deadlines in this article do not take into account extensions for small businesses.
[View source.]