Blog: NYDFS Publishes Official Amendments To Its Cybersecurity Regulation – Financial Services – United States – Mondaq

United States:

NYDFS Publishes Official Amendments To Its Cybersecurity Regulation

23 November 2022

Debevoise & Plimpton

To print this article, all you need is to be registered or login on Mondaq.com.

On November 9, 2022, the New York Department of Financial
Services (“NYDFS”) announced the publication of the official proposed amendments to its 2017 Cybersecurity Regulation 23 NYCRR 500
(“Proposed Amendments”). This announcement follows a
highly active pre-proposal comment period, during which industry
stakeholders shared their thoughts with the NYDFS on the changes
under consideration, which we covered here for an Overview, here for a Q and A, and during a webcast. The 60-day public comment period to
the Proposed Amendments ends on January 9, 2023. In this blog post,
we discuss our initial observations on significant changes between the new release
and the pre-proposal.

Highlights of what we learned from the revisions:

  • NYDFS took the time to ingest comments and clarify
    interpretations, so the next round of comments is very
    important.
  • The Revised Proposal softens the definition of Class A
    companies.
  • The Revised Proposal softens the prescriptive requirements
    around key controls, bringing back some of the risk-based elements
    of the existing Part 500.
  • NYDFS understands that the implementation periods for some
    technical elements were too aggressive and has softened those
    requirements.

Revised Definition of Class A Companies and of Other Key
Terms

In the pre-proposal, NYDFS created a new category of companies
called “Class A” companies. Class A companies were
defined as those with over 2,000 employees as part of the covered
entity and its affiliates OR those companies with over $1 billion
in gross annual revenues averaged over the last three years for the
covered entity and affiliates. The Proposed Amendments revised the
definition of Class A Companies. The new formulation appears
designed to reduce the scope of the Class A Companies.

  • As a threshold, the Covered Entity must have an
    in-state (New York) gross annual revenue of
    “at least $20,000,000”
    ineach of the last two
    fiscal years
    from business operations of the covered
    entity and its affiliates.” This may exclude some
    international banks with small branches in New York from the Class
    A definition.
  • If the $20 million revenue in New York threshold is met, then:
    • The Proposed Amendments now clarify that a company would be a
      Class A if it has 2,000 employees as an
      average over the last two fiscal years,
      still accounting for the covered entity and affiliates.
    • Alternatively, a company can be Class A if the global
      gross annual revenue threshold of $1 billion
      is met in
      each of the last two fiscal years, as
      opposed to being an average of the two.

This revised definition addresses Question 1 from our webcast by clarifying when
a small NY branch of a larger overseas company might be considered
a Class A Company. In addition, the Proposed Amendments:

  • Remove the possibility that an internal audit can satisfy an
    “independent audit” by making clear that an audit must be
    conducted by an external auditor;
  • Carve out “governmental entity” from the definition
    of a “third party service provider”;
  • Change references to the CEO for requirements such as
    compliance certification to the “highest-ranking executive at
    the covered entity” which clarifies an ambiguity in the
    pre-proposal draft that these requirements might adhere to
    CEO’s of parent companies of Covered Entities that themselves
    did not have CEOs.

Emphasis on Certain Key Cybersecurity Domains

Certain revisions throughout the Proposed Amendments reflect
NYDFS’s enhanced focus on key cybersecurity domains and
industry best practices. For example:

  • Cybersecurity policies and procedures –
    [500.3] the addition of data “retention,” systems and
    network “monitoring,” “security awareness and
    training,” and incident “notification” to the list
    of areas that must be addressed (to the extent applicable) by the
    covered entity’s cybersecurity policies based on its risk
    assessment.
  • Incident Investigation – [500.16] the
    addition of an explicit reference to the investigat[ive] aspects of
    an incident response plan.
  • Annual Training and Testing of Incident Response Plan
    [500.14 & 500.16(d)(1)] the addition of a
    minimum annual cadence to (1) the training requirement with an
    explicit reference to social engineering exercises (expansion from
    just “phishing”); and (2) the testing requirement for
    incident response plans (the requirement for CEO participation is
    replaced with that of the “highest-ranking executive” of
    the Covered Entity).
  • Backups – [500.16(e)] the change of the
    backup requirement from an actionoriented one (network isolation)
    to a goal-oriented one (adequate protection from unauthorized
    alterations or destruction).
  • Remedial Measures –
    [500.17(b)(1)(ii)(d)] the addition of “remediation plans and
    timeline for their implementation” as a required element of a
    covered entity’s written annual certification.

Softening of Certain Prescriptive Governance Requirements

The Proposed Amendments remove the CISO independence requirement
in the preproposal draft and adjust the mandatory nature of the
additional board reporting requirement.

  • The Proposed Amendments require the CISO to have authority and
    “the ability to direct sufficient resources to implement and
    maintain a cybersecurity program” but remove the requirement
    for CISO independence. This appears to be more practical for the
    purposes of effective program implementation and oversight without
    getting into locations on an org chart.
  • The Proposed Amendments further amend the CISO’s annual
    reporting to the Board or equivalent. The CISO still needs to
    consider a number of factors in developing a report, but the report
    no longer needs to include discussions of each such factor and does
    not need to include plans for remediating inadequacies.
  • Finally, the Proposed Amendments seem to clarify that the
    Board’s role is to “exercise oversight and provide
    direction to management on … cybersecurity risk management.”
    Covered Entities still need to report material issues found in the
    vulnerability management program to the “senior governing
    body.”

To view the full article, click here

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

POPULAR ARTICLES ON: Finance and Banking from United States

COP 27: Top News For The Third Day Of Events

Akin Gump Strauss Hauer & Feld LLP

Talks during the third day of COP 27 focused on climate finance. Here’s what business leaders need to know to keep up-to-date on event proceedings…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s