NYDFS updates cybersecurity requirements for financial services companies

Major amendments to Part 500 cybersecurity regs adopted – we set out what you need to know.

New York’s financial watchdog published significant updates to its cybersecurity regulations Wednesday, adding strict internal controls and risk assessment requirements, plus notification obligations around ransom payments, that go further than recent federal rules.

The New York State Department of Financial Services (NYDFS) – which oversees banks, insurance firms, mortgage brokers and other financial institutions – expanded the Part 500 cybersecurity rules it enacted in 2017 because rising cyberattacks require stronger protections, said Adrienne Harris, the agency’s superintendent, in a statement.

Cyber rule’s key changes

The new rules strengthen the agency’s risk-based approach to ensure that cybersecurity is integrated into regulated entities’ business planning, decision-making, and ongoing risk management. Key changes in the regulations include:    

  • enhanced governance requirements;      
  • additional controls to prevent initial unauthorized access to information systems and to prevent or mitigate the spread of an attack;      
  • requirements for more regular risk and vulnerability assessments, as well as more robust incident response and business continuity/disaster recovery planning (BCDR);     
  • updated notification requirements including a new requirement to report ransomware payments; and      
  • new requirements for annual (or more frequent) training and cybersecurity awareness programs that anticipate social engineering attacks that are relevant to their business model and personnel.

In New York’s new rules, chief information security officers (CISOs) are placed front and center in the new regulations as having responsibility for ensuring that companies comply with the rules and internal policies are enforced. Boards of directors, or other senior committees, are charged with overseeing cybersecurity risk management, and they must retain an appropriate level of expertise to understand cyber issues, the rules say.

Directors must sign off on cybersecurity programs, and ensure that any security program has “sufficient resources” to function. 

New class of entities

Another one of the major changes in the new rules entails creating a new class of entities known as “Class A Companies” that will be subject to heightened requirements. Class A Companies are NYDFS-regulated businesses that either have over 2,000 employees, or have over $1 billion in gross annual revenue, including the company’s affiliates. The heightened requirements for Class A Companies include:

  • conducting an annual independent audit of their cybersecurity programs, which can be done by external or internal auditors;
  • implementing a privileged access management solution as well as methods for automatically blocking passwords that are commonly used; and
  • using endpoint detection tools and other solutions to monitor and log potentially unauthorized activity.

The rules stipulate that cybersecurity must be a significant part of business continuity plans, and that safety measures such as data backups should be regularly tested. The update rules require covered entities to perform a risk assessment annually, instead of “periodically.”

NYDFS will still require companies to report cybersecurity incidents within 72 hours, but the rule now specifies that the clock starts when the company determines it has experienced a cybersecurity incident, and it must provide the regulator with any information it requests. (As a point of comparison, SEC’s rules require reporting four days after a company determines that a cyber incident will be material to its business.)

The adopted amendment holds NYDFS-regulated businesses and licensed entities accountable for implementing cybersecurity protections, ensuring they maintain cyber defenses appropriate to their size, nature of business, and the type of data maintained, providing relevant training to all employees responsible for implementing cybersecurity plans regarding their roles and responsibilities and at least annual tests of business incident response and BCDR plans and backup plans.

The Bank Policy Institute and the American Bankers Association, lobby groups for the financial industry, sent letters to the Office of the National Cyber Director on Tuesday urging harmonization between regulators on reporting regimes. In the letters, they said the various cyber incident reporting, incident disclosure, consumer breach notification, data security and privacy requirements from US agencies such as the banking regulators, Treasury Department, SEC, plus the NYDFS at the state level are creating standards and frameworks that are too disparate and unmanageable.

Ransom payments

Additionally, New York joins several other states in mandating that companies (with some states just making it mandatory for state agencies) report any ransom payments they have made. Under NYDFS’s rules, regulated firms must now report any payment made to hackers within 24 hours of that payment. Also, 30 days thereafter, the business must provide a written description of the reasons that the payment was necessary, the alternatives that were considered, and the diligence that was performed with respect to the incident to ensure compliance with applicable law.

Interestingly, that provision of NYDFS’s new rule coincides with the 50 members of the International Counter Ransomware Initiative (CRI) affirming the importance of strong and aligned messaging discouraging paying ransomware demands and leading by example. The members met in Washington, DC, from Monday through Wednesday of this week for the third time since the group’s creation, agreeing to continue to cooperate internationally across all elements of the ransomware threat.

Businesses must also determine if they meet the definition of a “Class A Company”, plus update documentation to account for new policy and procedure requirements.

The US government, via the FBI and Cybersecurity and Infrastructure Security Agency, doesn’t outright prohibit paying a ransom – but it strongly encourages individuals and entities not to, as such payment does not guarantee victim files will be recovered. Furthermore, the agencies believe these payments may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. 

In a similar vein, New York’s rules stop short of banning ransom payments, but they require companies that pay a ransom to submit a report to the agency describing the decision-making process that resulted in payment and other avenues considered.

Implications for compliance

Covered entities should begin to determine how these updated rules will affect everything from existing policies and procedures, training programs and materials, BCDRs, incident response protocols, regulatory technology built around the original rule’s parameters, governance procedures and board expertise, reporting mechanisms to meet new deadlines, plus existing contracts or applications that reference the older rules.

Obviously, businesses must also determine if they meet the definition of a “Class A Company,” plus update documentation to account for new policy and procedure requirements.

Already-busy CISOs have added tasks here as well, and the compliance team and others must ensure they (and the board of directors) are equipped to oversee the cybersecurity program, can report on material issues within required timeframes, and that they have the technology and outside expert resources that could supplement in-house resources, if needed.

Finally, as the new cybersecurity rule references data, facilities, infrastructure, personnel, communication plans, and third-party cybersecurity risk (among other factors), the compliance team must ensure it has the full understanding and commitment of multiple departments and unit leaders in understanding and implementing these strengthened requirements.

With some exceptions, covered entities will need to demonstrate compliance within 180 days of the updated rules being published in the State Register.