On November 9, 2022, the New York Department of Financial Services (NYDFS) released its second, proposed amendments to the Part 500 Cybersecurity Rule. The proposed amendments revise several aspects of the draft Cybersecurity Rule amendments released on July 29, 2022. These changes reflect several comments made in response to the draft Cybersecurity Rule to further clarify, strengthen and clarify various requirements, as highlighted below.
The following are some of the key changes in the proposed amendments:
Notification Requirement
The proposed amendments provides three new cybersecurity events that Covered Entities must report to NYDFS via the NYDFS online cybersecurity portal within 72 hours:
- Unauthorized access to privileged accounts;
- Deployment of ransomware within a material part of the Covered Entity’s systems; and
- Any cybersecurity event that affects a third-party service provider that also affects the covered entity.
Additionally, Covered Entities must provide NYDFS with any additional information requested by NYDFS related to the investigation of a cybersecurity event within 90 days of notice. The Covered Entity must also provide continuous updates and any supplementary information related to the investigation.
The proposed amendments provide a new notification requirement for ransomware payments. If a Covered Entity makes a ransomware payment, the Covered Entity is required to notify NYDFS within 24 hours of payment. When notifying NYDFS, a Covered Entity who makes a ransomware payment must also provide a written description of the payment within 30 days, describing why payment was necessary, what alternatives were available and all related diligence performed to ensure compliance with any applicable laws and regulations.
Revised Definition of Class A Companies
The proposed amendments now define Class A companies as Covered Entities with at least $20 million in gross annual revenue in-state in each of the past two fiscal years from business operations of the Covered Entity and its affiliates, and either: (1) possess more than 2,000 employees over the past two fiscal years, regardless of location, including those of both the Covered Entity and all of its affiliates, or (2) possess more than $1 billion in gross annual revenue in each of the past two fiscal years from all business operations of the Covered Entity and all of its affiliates. A Covered Entity who qualifies as a Class A company will also be subject to several additional compliance requirements under the proposed amendments, including an independent audit of at least annually by external auditor, the use of external experts to conduct risk assessments at least once every three years and implementation of an endpoint detection and response solution.
Penetration Testing, Vulnerability Assessments and Risk Assessments
The proposed amendments make significant changes to the technical requirements of the Cybersecurity Rule. Some of these changes include:
- Covered Entities must conduct penetration testing of their systems, internally and externally, by a qualified internal or external independent party at least annually.
- Covered Entities must have a monitoring process that ensures prompt notification of any new security vulnerabilities.
- Covered Entities must possess written policies and procedures for vulnerability management, mandate automated scans of systems and manually review systems not covered by these scans as frequently as determined by the risk assessment or promptly after any major system changes.
- Covered Entities must review and update their risk assessments at least annually, and whenever a significant change in business or technology causes a material change to their cyber risk.
Cybersecurity Plan
The proposed amendments now require a Covered Entity to address new issues in their cybersecurity plans, including data retention, end of life management, remote access controls, systems monitoring, security awareness and training, application security, incident notification and vulnerability management.
The proposed amendments also require a Covered Entity to limit the number of accounts, access functions and actual use based on what is necessary for a user to perform their job. This includes a requirement that a Covered Entity periodically, or at least annually, review all user access privileges and remove or disable accounts that are no longer necessary (i.e., prompt termination of systems access following an employee’s departure).
The proposed amendments provide a new certification requirement that requires a Covered Entity to have their highest-ranking executive and CISO (or senior cybersecurity officer) sign an annual certification of compliance to NYDFS Part 500.
Incident Response and Business Continuity and Disaster Recovery Plan
The proposed amendments now require a Covered Entity to provide relevant training on its incident response plan and its business continuity and disaster recovery plan to all employees necessary to implement such plans. These plans must be tested at least annually, and must be distributed and accessible to relevant employees.
Multifactor Authentication
The proposed amendments require a Covered Entity to use multifactor authentication (MFA) for all remote access to systems, third-party applications and all privileged accounts. Alternatively, the CISO can approve the use of reasonably equivalent or more secured controls to replace MFA, in writing, which must be reviewed periodically and at least annually by the CISO.
Cybersecurity Governance
The proposed amendments require a senior governing body to approve a Covered Entity’s cybersecurity policies and procedures for the protection of its systems and nonpublic information stored in systems, at least annually.
The proposed amendments also provide several requirements for CISOs, and provide them with the adequate authority to “ensure cybersecurity risks are appropriately managed.” Some of these requirements include timely reporting to the senior governing body regarding material cybersecurity issues (i.e., major cybersecurity events or updates regarding risk assessments) and reporting plans of remediation to address material inadequacies.
The proposed amendments also require a Covered Entity’s board of directors or equivalent (i.e., an appropriate committee of the board) to exercise oversight of cybersecurity risk management, including developing, implementing and maintaining cybersecurity programs. The board of directors or equivalent must possess sufficient expertise or knowledge, or be advised by persons with sufficient expertise or knowledge, to exercise oversight of cybersecurity risk management.
The 60-day public comment period to the proposed amendments ends on January 9, 2023, and members of the public are invited to submit comments here.
Search
Recent Posts
- Website Use of Third-Party Tracking Software Not Prohibited Under Massachusetts Wiretap Act
- HHS Announces Additional Settlements Following Ransomware Attacks Including First Enforcement Under Risk Analysis Initiative
- Employee Monitoring: Increased Use Draws Increased Scrutiny from Consumer Financial Protection Bureau
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code