On June 28, 2023, the New York Department of Financial Services (“NYDFS”) published an updated proposed Second Amendment (“Amendment”) to its Cybersecurity Regulation, 23 NYCRR Part 500. On November 9, 2022, NYDFS published a first draft of the proposed Amendment and received comments from stakeholders over a 60-day period. The updated proposed Amendment will be subject to an additional 45-day comment period.
As a result of the initial 60-day comment period, the updated Amendment incorporates a number of changes, including the following:
Definitions
- NYDFS clarified the thresholds for calculating when covered entities qualify as “Class A Companies,” which would be subject to heightened requirements. A “Class A Company” is a covered entity with at least $20 million in gross annual revenue in each of the last two fiscal years from business operations of the entity and its affiliates in NY and: (1) over 2,000 employees averaged over the last two fiscal years across both the entity and its affiliates; or (2) over $1,000,000,000 in gross annual revenue in each of the last two fiscal years from all business operations of the entity and its affiliates. The updated proposed Amendment clarified that, when calculating the number of employees and gross annual revenue, “affiliates” include only those that share information systems, cybersecurity resources or all or any part of a cybersecurity program with the relevant covered entity.
- NYDFS clarified that, while Class A Companies would still be required under the amendments to conduct an “independent audit” of their cybersecurity programs at least annually, such “independent audits” include those conducted by internal auditors free to make decisions (in addition to external auditors).
- NYDFS narrowed the previously proposed definition of “privileged account” so that it is now applies to “any authorized user account or service account that can be used to perform security-relevant functions that ordinary users are not authorized to perform, including but not limited to the ability to add, change, or remove other accounts, or make configuration changes to information systems to make them more or less secure.” The proposed Amendment would still require covered entities to comply with a host of new access control obligations concerning privileged accounts, and notify NYDFS within 72 hours upon becoming aware of a cybersecurity event where an unauthorized user has gained access to a privileged account.
- NYDFS clarified that where a cybersecurity program or part of a cybersecurity program is adopted from an affiliate, the “senior governing body” (e.g., a board or equivalent governing body) may be that of the affiliate. As described below, senior governing bodies would have new oversight responsibilities under the amendments.
Governance Requirements
- Senior Governing Bodies: NYDFS narrowed the previously proposed responsibilities for senior governing bodies by removing the requirement to “provide direction to management on the covered entity’s cybersecurity risk management.” The updated Amendment and supplemental NYDFS guidance clarifies the senior governing body’s primary duty is effective oversight of the entity’s cybersecurity risk management, not involvement in day-to-day operations of management. In addition, NYDFS softened the previously proposed requirement that the senior governing body “have sufficient expertise and knowledge, or be advised by persons with sufficient expertise and knowledge, to exercise effective oversight of cybersecurity risk management” by replacing it with a requirement to “have sufficient understanding of cybersecurity-related matters to exercise such oversight, which may include the use of advisors.”
- Risk Assessments: NYDFS removed in its entirety the previously proposed requirement under Section 500.9(d) that, at least once every three years, Class A companies use external experts to conduct their required risk assessments.
- Incident Response Plan (“IRP”) and Business Continuity and Disaster Recovery Plan (“BCDRP”):
- NYDFS added a proposed requirement that the covered entity’s incident response plan address preparation of a “root cause analysis that describes how and why the event occurred, what business impact it had, and what will be done to prevent reoccurrence.”NYDFS clarified that a covered entity’s BCDR plan, which would required under the proposed amendments, must be designed to ensure availability and functionality of the covered entity’s information systems and material services, and protect personnel, assets and non-public personal information, in the event of a cybersecurity-related disruption to normal business activities.
- NYDFS clarified that covered entities would need to engage in annual testing of both their IRPs and BCDRPs with all staff critical to the response, including senior officers and the highest-ranking executive at the covered entity.
- Backups: With respect to the proposed requirements to maintain and test backups, NYDFS (1) clarified that a covered entity must annually test its ability to restore its “critical data and information systems” from backups; and (2) limited the previously proposed requirement that covered entities maintain backups to those “necessary to restoring material operations.”
Security Measures
- Automated Password Blocker: NYDFS clarified that the requirement for Class A companies to implement “an automated method of blocking commonly used passwords” applies only to accounts on information systems “owned or controlled by a Class A company” and for all other accounts only where “feasible.”
- Multifactor Authentication (“MFA”): NYDFS significantly expanded the scope of the proposed MFA requirements so that they are now aligned with the MFA requirements under the FTC Safeguards Rule. Whereas the original proposed Amendment required MFA only for certain privileged accounts and for remote access to the covered entity’s systems and third-party applications, the updated proposed Amendment broadly requires MFA for any access to the entity’s systems, regardless of whether that access is remote, unless the covered entity qualifies for a limited exemption (in which case the entity must follow the originally proposed MFA requirements). As an alternative, a covered entity’s Chief Information Security Officer (“CISO”) may approve in writing the use of reasonably equivalent or more secure compensating controls, although such controls would need to be reviewed at least annually.
Notifications and Certifications to NYDFS
- Cybersecurity Event Reporting: NYDFS eliminated the previously proposed requirement that covered entities notify NYDFS within 72 hours if they were affected by a cybersecurity event at a third-party service provider. In its place, NYDFS clarified that the other thresholds for cybersecurity event reporting (e.g., an event that has a reasonable likelihood of materially harming a material part of an entity’s normal operations) are met irrespective of whether the event occurred at the covered entity or its service provider. In addition, NYDFS removed the previously proposed requirement to update NYDFS within 90 days of its cybersecurity event notice and replaced it with an obligation to promptly provide information upon NYDFS’s request.
- Annual Certification of Compliance: Currently, companies are required to annually certify their compliance with the NYDFS Cybersecurity Regulations for the prior calendar year. In the updated proposed Amendment, NYDFS has proposed narrowing the scope of the certification to material compliance. In addition, under the original proposed Amendment, NYDFS added an alternative option to the annual certification of compliance that would permit covered entities to submit a written acknowledgement that they did not fully comply with all requirements. In the updated version of the proposed Amendment, NYDFS softened the requirement regarding the written acknowledgment, removing the obligation to identify “all areas, systems and processes that require material improvement, updating or redesign.”
In addition, under the original version of the Amendment, while covered entities were required to comply with some of the new requirements within 180 days of the Amendment’s affective date, other requirements were subject to transitional periods of one year, 18 months, or two years, respectively. Under the updated version of the Amendment, more of the new requirements would be subject to the lengthier transition periods. The new MFA requirements, for example, would be subject to the two-year transition period.
NYDFS provides supplemental detail regarding its revisions to the proposed Amendment and the rationale for these changes in its Assessment of Public Comments. Comments on the updated proposed Amendment must be submitted in writing to NYDFS by 5 pm ET on Monday, August 14, 2023. Submissions should be sent by email to cyberamendment@dfs.ny.gov or by mail to the New York State Department of Financial Services c/o Cybersecurity Division, Attn: Joanne Berman, 1 State Street Plaza, Floor 19, New York, NY, 10004.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code