NYDFS Proposes Amendments to Cybersecurity Regulation

The New York Department of Financial Services (NYDFS) on Nov. 9, 2022, released Proposed Amendments to its Cybersecurity Regulation.¹ The NYDFS Cybersecurity Regulation was one of the first laws requiring companies to comply with a prescriptive set of requirements in their cybersecurity program and has been credited for influencing similar requirements by several other regulatory bodies.

The Proposed Amendments reflect a significant update to NYDFS regulation of cybersecurity practices within the financial services sector. For example, whereas the original Cybersecurity Regulation provided organizations with more freedom in designing their cybersecurity program based on assessed risks, the Proposed Amendments now require the implementation of specific administrative and technical controls designed to address common vulnerabilities. In addition, consistent with a growing regulatory trend, the Proposed Amendments move beyond administrative and technical safeguards to regulate corporate behavior by mandating cybersecurity governance practices. Finally, the Proposed Amendments subject larger financial services companies to independent audits and external risk assessments. As discussed below, these proposed changes will likely impose significant new obligations for regulated financial services companies and increase legal compliance risks for these entities together with their executives and boards of directors.

NYDFS Cybersecurity Regulations

NYDFS regulates financial services companies licensed to operate in New York, including banks, insurance companies and mortgage loan servicers. In 2017, the agency published its Cybersecurity Regulation, which went fully into effect in March 2019. The law required its regulated financial services companies to maintain a comprehensive cybersecurity program in accordance with a number of specific security requirements.

Specifically, companies must conduct yearly risk assessments, develop policies and procedures related to 15 information security controls based on these risk assessments, maintain incident response plans, conduct annual penetration tests and biannual vulnerability assessments, use multifactor authentication for access from an external network, notify regulators of a cybersecurity event within 72 hours, and much more. In addition to these requirements, the Chief Information Security Officer (CISO) must provide the board of directors or equivalent governing body with annual, written reports concerning the company's cybersecurity program. Regulated companies also must annually certify their compliance with the Regulations in a submission to NYDFS. The law does provide exemptions for financial services companies that have less than 20 employees/independent contractors, less than $5 million in gross annual revenue in each of its last three fiscal years or less than $15 million in year-end total assets.²

Since the Cybersecurity Regulation went into effect, NYDFS brought several enforcement actions for violations of these requirements. In its first public enforcement action (see Holland & Knight's previous alert, "SEC Issues First-Ever Penalties for Deficient Cybersecurity Risk Controls," June 22, 2021), NYDFS announced charges against First American Title Insurance Co. for allegedly exposing millions of consumers' sensitive personal information to the public. In that matter, NYDFS alleged that each instance of exposure of nonpublic information constitutes a separate violation carrying up to $1,000 in penalties per violation. More recently, NYDFS announced that Robinhood Crypto LLC will pay $30 million penalty to the state of New York for allegedly violating the Cybersecurity Regulation and other regulations. As illustrated by these announcements, the cost of violating the Cybersecurity Regulation can be substantial.

The Proposed Amendments

On July 29, 2022, NYDFS released Draft Pre-Proposed Amendments for review and comment. The comment period for these Draft Pre-Proposed Amendments concluded on Aug. 18, 2022. After consideration of these nonpublic comments, NYDFS on Nov. 9, 2022, promulgated the Proposed Amendments through a formal New York rulemaking process, which provides a minimum 60-day public comment period. The comment period for the Proposed Amendments will run until Jan. 8, 2023. If adopted, most amendments will take effect 180 days from the date of adoption. There are different transitional periods to implement a number of technology-related amendments.

The Proposed Amendments generally fall within the following five categories: 1) increased mandatory controls associated with common attack vectors, 2) enhanced requirements for privileged accounts, 3) enhanced notification obligations, 4) expansion of cyber governance practices, and 5) additional cybersecurity requirements for larger companies. The amendments to these five categories are discussed in more details below.

1. Increased Mandatory Controls and Practices

Cybercriminals often use similar tactics, techniques and procedures to gain access into a company's network. Over the past few years, the three most common vectors used to gain access into a victim's system have been phishing emails, misconfigured remote desktop protocol (RDP)³ and unpatched software. In addition, both the SolarWinds and Log4j vulnerabilities highlighted the need to maintain detailed inventories of the software programs and versions used throughout an organization.

In response to these common vulnerabilities, the Proposed Amendments would require regulated companies to implement mandatory controls and practices designed to address these common vulnerabilities. In an effort to address phishing emails, the Proposed Amendments require monitoring and filtering of emails to block malicious content. They also require employees to receive cybersecurity awareness training that includes social engineering exercises. To address RDP vulnerability, the Proposed Amendments require companies to develop policies and procedures related to remote access, use strong and unique passwords when employed as a method of authentication, utilize multifactor authentication for remote access, disable or securely configure all protocols that permit remote control of devices, and periodically review all user access privileges and remove accounts/accesses that are no longer necessary. Addressing the unpatched software vulnerability, the Proposed Amendments require companies to develop policies and procedures related to vulnerability and patch management, develop policies and procedures related to end-of-life management, and maintain asset inventories that would include the assets' owner, location, support expiration date, update frequency and other specifically identified information.

The Proposed Amendments also focus on protecting business operations during a ransomware attacks. Specifically, the Proposed Amendments require incident response plans to include ransomware incidents and backup recovery planning. In addition, the Proposed Amendments require companies to develop detailed business continuity and disaster recovery (BCDR) plans, which include procedures for backup of essential data and offsite storage of information. Finally, the Proposed Amendments require regulated companies to periodically test their ability to restore systems from backups.

In addition to these specific controls, policies and procedures, the Proposed Amendments require annual penetration tests by a qualified internal or external independent party and regular vulnerability assessments and automated scans of information systems to identify, analyze and report vulnerabilities.

2. Enhanced Requirement for Privileged Accounts

One of the more common tactics employed by cybercriminals upon gaining unauthorized access within a system is privilege escalation; that is, threat actors seek to gain control of user accounts that contain the highest level of access and authority within a network.

The Proposed Amendments attempt to address this concern through specific requirements related to privileged accounts. As an initial step, the Proposed Amendments define the term "privileged accounts." Essentially, a privileged account is an account within the network that has authority to make configuration changes or add/remove user accounts. The Proposed Amendments then require regulated companies to:

• limit the number of privileged accounts
• limit access to privileged accounts to only those users who need access to perform their job
• limit the use of privileged accounts to only when performing functions requiring use of such accounts
• annually review all user access privileges and remove accounts and access that are no longer necessary
• employ multifactor authentication (MFA) for all privileged accounts⁴
• promptly terminate access following departures
• implement a privileged access management solution
• implement an automated method of blocking commonly used passwords

3. Enhanced Notification Obligations

Although the Cybersecurity Regulations require regulated entities to report cybersecurity incidents within 72 hours to NYDFS, the Proposed Amendments create an additional notification obligation related to ransomware payments and would require regulated entities to notify NYDFS within 24 hours of any extortion payments made in response to a cybersecurity event. In addition, within 30 days of payment, the entity would be required to provide NYDFS a written description explaining a) why payment was necessary, b) the alternatives considered, c) the due diligence taken to assess these alternatives, and d) the due diligence taken to ensure payment complied with applicable rules and regulations, including those of the U.S. Department of the Treasury's Office of Foreign Assets Control.

In addition, within 90 days of the notice of the cybersecurity incident, regulated entities must provide the Superintendent any information requested regarding the investigation of the cybersecurity incident. The Proposed Amendments note that regulated entities have a continuing obligation to update and supplement all provided information.

4. Expansion of Cybersecurity Governance Practices

One of the key aspects of the Proposed Amendments is the expansion of cybersecurity governance practices as the NYDFS seek to hold executives and boards of directors accountable for regulated entities' cybersecurity programs.

Preliminarily, the Proposed Amendments define the term "senior governing body" to mean the regulated entities' board of directors (or an appropriate committee thereof) or an equivalent governing body.⁵ The Proposed Amendment then requires regulated entities to employ the following practices:

• the senior governing body must approve the written cybersecurity policies and procedure annually
• the senior governing body must receive reports concerning the regulated entity's material cybersecurity issues
• the CISOs must timely report material cybersecurity issues to the senior governing body
• material issues found in penetration tests or vulnerability assessments must be documented and reported to the senior governing body and senior management
• the board of directors, or an appropriate committee of the board, must have sufficient expertise and knowledge, or be advised by person with sufficient expertise and knowledge, to exercise effective oversight of cyber risk and of those responsible for cybersecurity

In addition, the Proposed Amendments place increased responsibilities on the executive management and senior officers. Where regulated entities have a board of directors, the board shall exercise oversight of and provide direction to management on cybersecurity risk management and require the executive management to develop, implement and maintain the company's cybersecurity program. Regulated entities also must periodically test their incident response plan with the CEO and senior officers present and periodically test their BCDR plan with senior officers present.

Finally, the Proposed Amendments require regulated entities to submit annual certification of compliance with these Cybersecurity Regulations. If an entity is not compliant, the Proposed Amendment would require the entity to submit a written acknowledgement that it is not compliant, explain the nature and extent of its noncompliance, and provide remediation plans and timelines for implementation. Under the Proposed Amendments, the certification or written acknowledgement of noncompliance must be signed by both the CEO and CISO.

5. Additional Cybersecurity Requirements for Larger Companies

The Proposed Amendments create a new category of regulated entities called Class A companies. Class A companies are regulated entities that have at least $20 million in gross annual revenue in each of the last two fiscal years and have over 2,000 employees (including employees who work at an entity's affiliate) or make more than $1 billion in gross revenue in each of the last two fiscal years from all business operations (including gross annual revenue of an entity's affiliates). Under the Proposed Amendments, Class A companies have significantly more stringent cybersecurity requirements that require them to:

• conduct annual independent audits of their cybersecurity program
• monitor privileged access activity
• implement password vaulting for privileged accounts and an automated method of blocking commonly used passwords
• use external experts to conduct a risk assessment at least once every three years
• implement endpoint detection and response solution to monitor anomalous activity
• implement centralized logging and security event alerting

The Proposed Amendments do increase their limited exemptions provisions to exempt financial services companies that have less than 20 employees/independent contractors, less than $5 million in gross annual revenue in each of its last three fiscal years or less than $15 million in year-end total assets.

Key Takeaways Regarding the Proposed Amendments

1. Increasing Prescriptive Requirements

Many cybersecurity and privacy regulations require entities to implement comprehensive cybersecurity programs based on assessed risks. Such requirements typically give regulated entities significant autonomy to design technical and administrative controls deemed appropriate for their environment. However, the Proposed Amendments continue to reduce such autonomy by codifying specific administrative and technical controls. Although NYDFS may have the best intentions, this approach potentially erodes regulated entities' ability to effectively allocate limited cybersecurity resources on a risk-prioritized basis, since they are forced to instead operate programs prioritized for compliance with multiple regulators' competing compliance demands. In addition, the mandatory administrative and technical controls are designed to counter today's vulnerabilities, but cyber threats constantly evolve and the codification of such practices could become outdated. It is also unclear to what extent the increased regulatory requirements will negatively impact 1) resource-limited organizations, 2) security personnel subject to ever-increasing demands and job-related risks, or 3) the ability of newer, smaller and more diverse service providers to compete for business with financial services companies imposing significant compliance and indemnity demands due to the Cybersecurity Regulations.

2. Material New Governance Oversight and Demands

There is little doubt that NYDFS desires to improve corporate governance over regulated companies' cybersecurity practices. For example, the Proposed Amendments specifically require boards of directors to approve the written cybersecurity policies and procedures, receive reports concerning material cybersecurity issues, and provide effective oversight over the entity's cybersecurity program. In addition, consistent with the approach taken by the U.S. Securities and Exchange Commission, board members will be required to have significant expertise and knowledge to exercise effective oversight of cyber risk. In doing so, however, the Proposed Amendments will materially impact the composition of boards and management teams. A potential talent shortage of cybersecurity professionals qualified to serve in such roles may be a significant issue for regulated entities. In addition, these requirements may divert funds allocated to other important environmental, social and governance (ESG) initiatives and, likewise, divert board and management seats that would otherwise be allocated to fulfill other ESG and diversity objectives.

3. Increased Legal Risk Exposure

More regulation inherently means more legal compliance risk due to regulatory enforcement and the increased likelihood of shareholder derivative suits in the event of a cybersecurity incident. For example, allegations of ineffective oversight and breach of fiduciary duties may become more common in data breach cases, and such derivative actions may identify the NYDFS regulations as setting minimum standards (i.e., the floor) required of boards with respect to their personal cybersecurity obligations.

The Proposed Amendments also increase potential legal risk for regulated entities and their senior management, such as the requirement that the CEO and CISO both sign an annual certification of compliance. In many organizations, the CEO is not an expert in cybersecurity or able to dedicate significant time to that one area, making the attestation difficult, and the dual-signatory requirement could create tension and conflicts within upper management. And certainly the certification itself could expose a regulated entity, and its CEO and CISO personally, to allegations of misrepresentation or fraud in legal actions – NYDFS has already alleged false certification against several regulated entities in enforcement actions. In addition, because the Proposed Amendments require a detailed account of any noncompliance in the written acknowledgement, good faith efforts at full disclosure could be leveraged against the entity in any subsequent legal action. This is likewise true for good faith efforts to fully document gaps identified during penetration tests or vulnerability assessments. Collectively, these new requirements pile onto the already-stressful jobs of CEOs, CISOs and board, particularly in the financial services sector, with more demands and higher personal risks.

4. Increased Compliance Costs

Once the proposed changes are adopted, significant additional resources may be needed to implement the required technical and administrative controls, governance practices, and third-party penetration testing, audits and risk assessments. There will also be practical challenges associated with the rules, such as annually testing incident response plans with all critical staff, including senior officers and the CEO. A repeating cadence of third-party audits may be expensive, time-consuming and distracting. Demands for qualified independent auditors may also result in a backlog of audit requests that challenge compliance deadlines and result in some talent loss as cybersecurity professionals move from internal programs to audit firms.

Conclusion

Perhaps the key question is whether the Cybersecurity Regulations have proved their value in a cost-benefit analysis since they went into effect. Do prescriptive cybersecurity requirements mitigate cybersecurity risks materially better than existing laws and entities' independently implemented cybersecurity practices, or do they result in increased compliance costs without achieving desired aims?

If you have any questions about the proposed amendments to the NYDFS Cybersecurity Regulation or need assistance submitting comments to help shape the final rule to reflect industry concerns, contact the authors or a member of Holland & Knight's Data Strategy, Security & Privacy Team.

Notes:

¹ NYCRR 500.

² 23 NYCRR 5000.19.

³ RDP is a communication protocol used in Microsoft operating systems to allow users to access computers remotely. As companies rapidly implemented work-from-home strategies in response to the COVID-19 pandemic, they had to allow such remote access to the companies' systems. Misconfiguration of such access resulted in a significant increase in cybercriminals gaining unauthorized access through RDP attacks.

⁴ The Proposed Amendments provided do not require MFA on service accounts that prohibit interactive login as long as the CISO has approved in writing the implementation of compensating controls that achieve reasonable equivalent security.

⁵ If the regulated entity does not have a board of directors or an equivalent governing body, the senior governing body refers to the senior officer responsible for the entity's cybersecurity program.

Information contained in this alert is for the general education and knowledge of our readers. It is not designed to be, and should not be used as, the sole source of information when analyzing and resolving a legal problem, and it should not be substituted for legal advice, which relies on a specific factual analysis. Moreover, the laws of each jurisdiction are different and are constantly changing. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. If you have specific questions regarding a particular fact situation, we urge you to consult the authors of this publication, your Holland & Knight representative or other competent legal counsel.