The Big Apple now demands big commitments from financial institutions regarding cybersecurity practices. Yesterday, the New York State Department of Financial Services (“NYDFS”) adopted its second set of amendments to its 2015 “Cybersecurity Requirements For Financial Services Companies” (“Amended Cybersecurity Regulation”), with some amendments immediately going into effect. The law requires “covered entities,” including but limited to financial institutions or insurance providers authorized to conduct business in New York, to implement and maintain a cybersecurity program, to report cybersecurity events, and to annually certify their compliance with the law. The Amended Cybersecurity Regulation now requires:

  1. Increased accountability by the entities’ executives;
  2. Additional disclosures surrounding ransom payments;
  3. Enhanced obligations to larger corporations; and
  4. More onerous security safeguards within a covered entity’s program.

Executive Accountability. The Amended Cybersecurity Regulation requires a covered entity’s executives to demonstrate sufficient knowledge of, and oversight over, the company’s cybersecurity risk management. Most critically, a covered entity’s highest-ranking executive and its Chief Information Security Officer (“CISO”) must sign the company’s annual certification as to the covered entity’s compliance with the law[1]; thus, these individuals must have sufficient knowledge regarding the cybersecurity program and any cybersecurity events occurring during the certification year.

The amendments also demand that a covered entity’s “senior governing board,” such as the board of directors, demonstrate sufficient oversight over, and understanding of, their cybersecurity risk management.[2] This group must also receive timely reports from the CISO regarding material cybersecurity issues, such as significant updates to the covered entity’s risk assessment or significant cybersecurity events. ‘[3]

Ransom Payments. Due to the rise in ransomware payments and government efforts to curb such payments, NYDFS must receive timely information surrounding any extortion payment made by a covered entity in connection with a cybersecurity event. It must provide notice via a web form on NYDFS’s website with notice of payment within 24 hours of such payment and a description of their extortion payment analyses (i.e. why the payment was necessary) within 30 days of payment.[4]

Large Company Obligations. The Amended Cybersecurity Regulation imposes additional obligations on “Class A Companies,” large entities meeting the regulation’s revenue and/or employee threshold; for example, requiring an annual “independent” audit. [5]

Business Recovery. The Amended Cybersecurity Regulation promotes “operational resiliency” in cybersecurity events by creating additional requirements for business continuity and disaster recovery plans (“BC/DR Plan”) and incident response plans. [6]

It requires specific parameters in the BC/DR Plan and, particularly, the coordination with vendors. For example, the BC/DR Plan must (a) contemplate any communications “with essential persons in the event of a cybersecurity-related disruption to the operations of the covered entity, including… third party service providers…”  and (b) identify all third parties “necessary to the continued operations of the business’s information systems.”[7]

Covered entities must also maintain backups necessary to restore material operations and incorporate its back-up processes, including recovery, in the BC/DR Plan and incident response plan.[8]

Finally, covered entities must test these plans at least annually with necessary staff, including its senior officers and its highest-ranking executive.[9]

Enhanced Safeguards. In addition to the measures above, the Amended Cybersecurity Regulation required numerous technical and administrative security measures to enhance the entity’s the cybersecurity program, including but not limited to:

  • Implementation of a privileged account management program;[10]
  • Development of policies and procedures for the complete, accurate, and documented asset inventory of the Covered Entity’s Information System;[11]
  • Initiation of risk assessments for changes in the business or technology causing a “material change to the covered entities’ cyber risk;” [12]
  • Utilization of multi-factor authentication; and [13]
  • Enhancement to the vulnerability testing and timely remediation based on the testing.[14]

Varying Effective Dates. NYDFS adopted the Amended Cybersecurity Regulations with varying effective dates for the amendments. For example, the amendments surrounding the training of the senior governing board and the testing of the BC/DR Plan go into effect in one-year (November 1, 2024); while the amendments surrounding vulnerability management and access privileges go into effect in 18 months (May 1, 2026).[15]

Key Takeaways:

  • Covered entities must regularly educate its executives, including its board of directors, on its cybersecurity program and on its policies regarding cybersecurity events, especially the CEO who will likely sign the annual certification.
  • When an extortion payment may occur, companies should detail its rationale and be prepared to support its decisions considering NYDFS’s oversight.
  • Backups must be a critical component addressed and tested in a company’s BC/DR Plan and incident response plan.
  • Companies must spend the additional resources and time to implement the new technical and administrative security measures.

[1] 23 NYCRR § 500.17.

[2] 23 NYCRR § 500.04.

[3] Id.

[4] 23 NYCRR § 500.17.

[5] 23 NYCRR §§ 500.02.

[6] 23 NYCRR § 500.16.

[7] Id.

[8] Id.

[9] Id.

[10] 23 NYCRR § 500.07(a).

[11] 23 NYCRR § 500.13(a).

[12] 23 NYCRR § 500.09(c).

[13] 23 NYCRR § 500.12.

[14] 23 NYCRR § 500.05.

[15] 23 NYCRR § 500.22(c) & (d).