NYDFS Proposes New Changes to Its Cybersecurity Rules
Recently proposed amendments to the NYDFS Cybersecurity Regulation would demand new technological enhancements, audit and risk assessment requirements of companies.
If you work at a bank, insurance company, or any other regulated financial services institution that does business in New York, you no doubt know the rigorous demands of the New York Department of Financial Services (NYDFS) Cybersecurity Regulation.
Since March 2017, the regulation, 23 NYCRR 500, has required companies take steps to enhance their cybersecurity posture, like encrypting sensitive data, appointing a CISO (Chief Information Security Officer) and having processes and plans in place if there's a data breach.
New changes to the Cybersecurity Rules, proposed last week, could augment those requirements however.
Draft Amendments to the Rules, released July 29, could impose a mandatory 24-hour notification window for cyber ransom payments, annual independent cybersecurity audits for larger firms, and higher expectations for board expertise when it comes to overseeing the business' cyber risk.
The amendments aren’t final; they will likely undergo several changes over the next few months and won't go into effect until next year.
One of the amendments would create a new class of company, Class A, for covered entities with over 2,000 employees or over $1 billion in gross annual revenue averaged over the last three fiscal years, and new requirements for them.
Class A companies would have to undergo annual audits of their security program, weekly vulnerability assessments, as well as implement a way to manage passwords for privileged accounts and a way to block commonly used passwords, and if not already in place, a way to monitor anomalous activity, lateral movement. Organizations would also need to have a solution that centralizes logging and security event alerting, like a SIEM, in place.
The Securities and Exchange Commission recently released a proposal of its own on enhancing cybersecurity risk management programs. In it, it stressed that board members identify their experience, education, or knowledge, skills or other background in cybersecurity. Similarly, NYDFS is pushing for the boards of covered entities to have "sufficient expertise and knowledge, or be advised by persons with sufficient expertise and knowledge, to exercise effective oversight of cyber risk and a committee or subcommittee assigned responsibility for cybersecurity."
When to notify regulators following an attack or ransomware incident – specifically how long after – has been a source of debate regardless of the industry as of late.
If the new NYDFS rules are amended, organizations would have to notify the NYDFS superintendent as soon as possible but no later that 72 hours if there's been a cybersecurity event - that includes ransomware, the discovery of an attack that could harm part of day-to-day operations, or an attacker has gained access to a privileged account. Organizations would have 24 hours to acknowledge when there's been a ransomware payment and 30 days to explain why exactly it was paid and what alternatives, if any, were considered.
Some of the NYDFS other proposed amendments were foreshadowed last summer, following the Colonial Pipeline attack, in guidance it issued on preventing and mitigating ransomware attacks. In that guidance it said it was considering revising its Cybersecurity Regulation to address the evolution in cyber risk. Some of those, like ensuring that organizations deploy multifactor authentication for all privileged accounts, and that incident response plans are battle-tested and address ransomware incidents, have surfaced in these Draft amendments.
Others, like an amended Section 500.13, which stresses that organizations have policies in place to ensure there's a thorough and documented asset inventory - including information systems, operating systems, applications, APIs, and cloud services - sound like they may have been informed by recent, apparently endemic, supply chain issues like log4j.
While these changes aren't comprehensive - there's a handful of other amendments in the 19-page NYDFS Draft documentation - it should give covered entities an idea where things are going with 23 NYCRR 500.