NYDFS Proposes Strengthening Cybersecurity Regulation
Commentary by Michael A. Kleinman
The New York Department of Financial Services ("NYDFS") issued a proposed second amendment to New York's Cybersecurity Regulation to account for new tools and technologies and provide additional clarity and guidance on NYDFS's risk-based approach to mitigating cybersecurity risks.
NYDFS said that the proposal's enhanced requirements would largely apply to "Class A" companies, which the proposal defines as covered entities with at least $20 million in gross annual revenue (from business operations and any affiliates in the state) that either (i) maintained an average of over 2,000 employees no matter where located or (ii) generated over $1 billion in gross annual revenue from all business operations, including revenue from affiliates. Under the proposal, companies will be classified as Class A if they have met each criteria for the two most recent fiscal years. Consistent with existing regulation, under the proposal, smaller companies would be subject to limited exemptions from some requirements, with a slightly higher size threshold for such exempt companies.
The proposal includes updated risk assessment procedures to account for new technologies including (i) controls against malware and other malicious code and (ii) password blocking technology to prevent the use of commonly used passwords. The proposal would also require business continuity plans to be made available upon request from NYDFS. Class A companies would be required to provide a copy of their cybersecurity program to NYDFS, which will monitor plans through required independent audits.
Additionally, companies would be required to designate a Chief Information Security Officer ("CISO") responsible for overseeing the cybersecurity compliance program. The CISO would be required to present an annual report to the company's board of directors including (i) relevant cybersecurity policies, (ii) pertinent cybersecurity risks, (iii) any cybersecurity events and (iv) plans for remediating the issues.
NYDFS said that it will accept comment on the proposal until January 9, 2023, after which it will either re-propose a revised version or adopt the final amended regulation.
Commentary
While some covered entities may prefer a more flexible compliance standard, the relative precision in some of the newly proposed prescriptive controls may come as welcome relief to others who have longed for clear guidance and direction in how to design a compliant cybersecurity program. Among other things, the proposal (i) swaps "annual" time periods for previously-defined "periodic" time periods; (ii) specifies that multi-factor authentication should be implemented for (1) specified instances of remote access and (2) privileged accounts, rather than simply stating that it should be implemented for every individual who accessed a covered entity's "internal networks from an external network"; and (iii) plainly states the minimum criteria that should be used to prepare an asset inventory.