United States: New York DFS Revises Proposed Amendments To Its Cybersecurity Regulations; Focus Remains On Role Of Boards And Executives

On November 9, 2022, the New York State Department of Financial Services (the "DFS") announced revisions to its proposed amendments ("Proposed Amendments") ¹ to its Cybersecurity Regulations, 23 NYCRR Part 500. The DFS Cybersecurity Regulations were a first-of-its-kind set of state cybersecurity regulations when issued in 2017, requiring that banks, insurance companies, mortgage lenders and brokers, credit reporting agencies and financial institutions and other covered entities, regardless of their size or revenue ("Covered Entities"), adopt cybersecurity measures that safeguard information and protect and enhance the security of their information systems.

The Proposed Amendments, first announced on July 29, 2022 and described in our September 2022 advisory include annual audits and reports, heightened requirements for certain large entities, enhanced technology requirements, and specific oversight and management obligations for directors and senior management.

The recent revisions, described by DFS as a proposed "second" amendment, respond to the comments DFS received to the Proposed Amendments. The recent revisions clarify some requirements, bolster various data protection requirements, and relax others. The new comment period now runs until January 9, 2023. It is likely that these second amendments, perhaps with some minor tweaking, will go into effect in 2023.

Covered Entities and their directors and officers should take notice and evaluate the implications for their businesses. The revisions to the Proposed Amendments, among other things:

• Clarify that the board of directors or equivalent governing body (or a committee thereof) is required to exercise oversight of, and provide direction to management on, the Covered Entity's cybersecurity risk management.
• Narrow the definition of "Class A" companies, for which there are heightened requirements, to those with at least $20 million in gross annual revenue in the last two fiscal years, and (1) an average of 2,000 employees over the last two fiscal years (including affiliates) or (2) over $1 billion in gross annual revenue in the last two fiscal years.
• Eliminate the requirement that a Covered Entity's CISO, must specifically address certain issues (such as the entity's cybersecurity policies and procedures, specific plans for remediating any inadequacies identified in such cybersecurity program, etc.) in a required annual cybersecurity program report to the Board of Directors or similar governing body. Instead, the CISO must merely consider the issues.
• Remove the requirement that Class A companies conduct systematic vulnerability scans or reviews of information systems at least weekly, but require all Covered Entities to have a monitoring process to ensure that new cybersecurity vulnerabilities are identified and remediated.
• Allow an exception to the requirement that Covered Entities have multi-factor authentication for remote access (and in other instances) where the CISO implements and approves in writing a reasonably equivalent protection or more secure compensating controls.
• Require that a Covered Entity, within 90 days of notifying DFS of a cybersecurity event, provide any information requested by DFS regarding investigation of the event and continue to update and supplement the information provided.
• Require that Covered Entities affected by a cybersecurity event that occurred at a third-party service provider notify DFS within 72 hours from the time when the entity becomes aware of the event. This is consistent with the 72-hour timeframe for reporting other cybersecurity events impacting Covered Entities.
• Require that a Covered Entity's cybersecurity awareness training for all personnel occur annually, at a minimum, and include social engineering exercises (not just phishing training).
• Require that a Covered Entity's cybersecurity program have an incident response plan that includes a requirement to investigate, not just mitigate, disruptive events.

Covered Entities should become familiar with all the Proposed Amendments, begin to assess their level of compliance, and begin preparing to implement soon-to-be required administrative, physical, and technical safeguards to ensure compliance. Covered Entities are encouraged to consult legal counsel to assist in interpreting the Proposed Amendments, including the recent revisions, evaluating compliance obligations, and advising on measures to ensure compliance.

Footnote

1. See https://www.dfs.ny.gov/industry_guidance/cybersecurity; https://www.dfs.ny.gov/industry_guidance/regulations/proposed_fsl.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.