Effective November 1, 2023, New York State Department of Financial Services (“DFS”) Strengthens Cybersecurity Requirements for Financial Services Companies. All companies should take account of these amendments, as these DFS regulations are increasingly referenced as key benchmarks for cybersecurity compliance programs.
New York State’s Department of Financial Services (“DFS”) finalized significant amendments to 23 CRR-NY 500 NY-CRR, “Cybersecurity Requirements for Financial Services Companies” (“Part 500”). This follows two rounds of proposed amendments and public comment periods. Covered entities should take steps to address the amendments to the regulations.
Part 500, as amended, reinforces what was already one of the most robust cybersecurity regulations in the country, and requires “covered entities”—that is, anyone operating under (or required to operate under) an authorization under New York banking, insurance or financial services law—to implement specific governance controls, technical safeguards, and incident preparedness and response protocols. The amendments took effect immediately upon being finalized on November 1, 2023. However, covered entities will have 180 days from the effective date of the amendments to achieve compliance with most of the new requirements. Certain requirements for multi-factor authentication will take effect two years after the finalized amendments are adopted and other requirements for incident response planning and cybersecurity governance will take effect one year following adoption of the amendments.
Some notable features of the amendment include:
- Creates “Class A” companies, which will be subject to stricter requirements, outlined below. Class A companies are defined as covered entities with at least $20,000,000 in gross annual revenue in each of the last two fiscal years from business operations of the covered entity and its affiliates in New York and:
- over 2,000 employees averaged over the last two fiscal years, including employees of both the covered entity and all of its affiliates no matter where located; or
- over $1,000,000,000 in gross annual revenue in each of the last two fiscal years from all business operations of the covered entity and all of its affiliates.
- Introduces enhanced requirements for Class A companies, including independent audits completed at least annually, as well as certain technical safeguards like endpoint monitoring, privileged access management, and vulnerability scans.
- Introduces a requirement that all covered entities update their cybersecurity risk assessments annually.
- Introduces a new term, “cybersecurity incident,” which means a cybersecurity event that has occurred at the covered entity, its affiliates, or a third-party service provider that (i) impacts the covered entity and requires the covered entity to notify any government body, self-regulatory agency or any other supervisory body; (ii) has a reasonable likelihood of materially harming any material part of the normal operation(s) of the covered entity; or (iii) results in the deployment of ransomware within a material part of the covered entity’s information systems.
- Introduces required technical safeguards for privileged accounts, including password management and the use of multi-factor authentication (MFA). MFA had previously been required for any individual accessing a covered entity’s internal networks from an external network, but the amendments extend the MFA requirement to the accessing of the covered entity’s information systems from any location.
- Creates new requirements for cyber risk governance, including that the Chief Information Security Officer (“CISO”) make timely reports to the Board of Directors (the “Board”) regarding cybersecurity issues, and that the Board:
- exercise effective oversight of the covered entity’s cybersecurity risk management;
- have sufficient understanding of cybersecurity-related matters to exercise such oversight, which may include the use of advisors; and
- require the covered entity’s executive management or its designees to develop, implement and maintain the covered entity’s cybersecurity program.
- Creates new requirements for a covered entity to, at a minimum, annually test its incident response and business continuity and disaster recovery plans and its ability to restore critical data from backups.
- Introduces new reporting requirements mandating that covered entities report within 24 hours of making a ransom payment, and within 30 days provide a statement describing why the payment was necessary, the alternative means considered, and the steps taken to ensure compliance with relevant laws
- In the final amendments, DFS clarified that a covered entity shall notify the superintendent “as promptly as possible but in no event later than 72 hours after determining that a cybersecurity incident has occurred…”
Part 500 was initially introduced in March 2017. It was a first-of-its -kind regulation that aimed to improve cybersecurity preparedness, response, and governance in New York’s financial services sector. It included several provisions related to an entity’s cybersecurity program, like the requirement that it be overseen by a CISO or the equivalent and incorporate risk-based measures for information security standards (like encryption, penetration testing, and access management). It also required that covered entities report cybersecurity events to DFS within 72 hours. In the years since Part 500 became effective, DFS has demonstrated a willingness to enforce its provisions aggressively where entities failed to comply:
- In March 2021, DFS ordered a mortgage banker to pay a $1.5 million penalty for its failure to disclose or conduct an investigation into a 2019 phishing attack. The attack allowed hackers to access the email account of an employee who handled a substantial amount of customer financial information. According to DFS, the comparatively modest penalty reflects that the company was cooperative during the DFS review of the incident.
- In June 2022, an operator of a large cruise line was ordered to pay a $5 million penalty to settle an enforcement action in relation to four incidents that occurred between 2019 to 2021 where threat actors respectively gained access to 124 employee accounts, accessed and encrypted information systems as part of a ransomware attack, downloaded customer passport numbers and dates of birth and employee credit card numbers, and exposed guests’, employees’, and crews’ names, addresses, phone numbers, passport numbers, dates of birth, health information, social security and national identification numbers. The DFS investigation of these events found that the cruise line had failed to implement MFA as required by Part 500, did not offer adequate training to its employees and filed noncompliant certifications.
- In August 2022, a cryptocurrency investment platform was fined $30 million for deficiencies in its cybersecurity program (alongside alleged violations of DFS anti-money laundering requirements). The DFS review concluded that the company relied exclusively on the cybersecurity program of its affiliate, which did not fully address the company’s specific risks, operations and reporting lines. In particular, the company’s program violated Part 500 insofar as it did not require its CISO to report at least annually to the Board and there were insufficient procedures for the Board to approve its written cybersecurity policy at least annually. This action shows how seriously DFS considers cybersecurity governance and that Part 500 enforcement isn’t reserved exclusively for debilitating cyber-attacks.
- In October 2022, DFS imposed a $4.5 million penalty on a health insurance company in relation to a 2020 event that allowed a threat actor to access and infiltrate an account that contained six years’ worth of customer information. The DFS review of the incident found that the company had not fully implemented MFA, relied on cybersecurity assessments that did not meet Part 500’s standards, did not implement access controls, and filed noncompliant certifications with DFS.
Focus on Governance and Board Oversight
Importantly, DFS maintains a requirement that the Board exercise oversight of cybersecurity risk in certain specific ways. The final Part 500 requires that the Board (or equivalent “senior governing body”) “exercise oversight of the covered entity’s cybersecurity risk management, including by:
- having sufficient understanding of cybersecurity-related matters to exercise such oversight, which may include the use of advisors;
- requiring the covered entity’s executive management or its designees to develop, implement and maintain the covered entity’s cybersecurity program;
- regularly receiving and reviewing management reports about cybersecurity matters; and
- confirming that the covered entity’s management has allocated sufficient resources to implement and maintain an effective cybersecurity program.”
While stopping short of requiring that Boards include cybersecurity experts among their members, DFS is clearly signaling an expectation that oversight cybersecurity risk become a Board-level priority, if it is not already.
Covered entities should take steps now to integrate the new requirements to comply by the newly established effective dates. Some key recommended steps that companies can take now include:
- Organizations should consider the application of Part 500 to their business and take steps to operationalize compliance as necessary. Organizations should take note that even firms that aren’t directly governed by Part 500 as covered entities should assess the potential applicability of the amended regulation to affiliates and subsidiaries and should review impacts on enterprise-wide cybersecurity policies.
- Conduct gap assessments by reviewing existing cybersecurity governance programs, identifying where gaps exist, and ensuring these gaps are remediated by the effective dates.
- Class A companies should engage independent third-party auditors as required by the revised amendments.
- Covered entities should review and update their incident response plans, and test those plans by conducting tabletop exercises with key stakeholders. This includes tabletop exercises with senior leadership and/or board members. Covered entities should also note that certain requirements, such as 72-hour reporting deadline, may differ from other applicable requirements, and these distinctions should be accounted for in their incident response plans.
- In light of the reporting requirement for ransom payments, covered entities may want to consider creating specific a specific “playbook” for ransom events that includes a framework for assessing whether and when such a payment may be made.