On November 9, 2022 the NYDFS announced major revisions to their existing laws with regards to cybersecurity and reporting. Recent updates to their 2017 cybersecurity regulation for financial service companies are slated to take affect mid-Summer 2023. These changes present quite a few major compliance feats for entities doing business in New York to anticipate and overcome in the next few months.
There is no sugarcoating it – the upcoming changes are considerable. Chief among these are: approach to risk assessment, restructuring of internal oversight and CISO responsibility, access privileges, and revisions to policies and procedures. It is important for companies both in and outside of the state of New York to fully understand these changes as the compliance models are usable across regulations and demonstrate best practices.
The new obligations of an entities risk assessment are found in section 500.2, with the term “risk assessment” being redefined as:
“Risk assessment means the [risk assessment that each covered entity is required to conduct under section 500.9 of this Part] process of identifying cybersecurity risks to organizational operations (including mission, functions, image and reputation), organizational assets, individuals, customers, consumers, other organizations and critical infrastructure resulting from the operation of an information system. Risk assessments shall take into account the specific circumstances of the covered entity, including but not limited to its size, staffing, governance, businesses, services, products, operations, customers, counterparties, service providers, vendors, other relations and their locations, as well as the geographies and locations of its operations and business relations. Risk assessments incorporate threat and vulnerability analyses, and consider mitigations provided by security controls planned or in place.”
The definition now requires INFOSEC consultants to update their risk assessments based on a list of factors specifically tailored to the company. From a compliance standpoint, this adds time, money, and complexity to the overall process.
2023 shall be known as the Year of the CISO. The proposed changes significantly elevate the role of Chief Information Security Officer and puts pressure on senior management boards of directors to bring them in to a more high-level fold. Section 500.4(a) states that:
“(a) Chief information security officer. Each covered entity shall designate a qualified individual
responsible for overseeing and implementing the covered entity’s cybersecurity program and
enforcing its cybersecurity policy (for purposes of this Part, chief information security officer or CISO). The CISO must have adequate authority to ensure cybersecurity risks are appropriately managed, including the ability to direct sufficient resources to implement and maintain a cybersecurity program. The CISO may be employed by the covered entity, one of its affiliates or a third party service provider.”
The CISO will be responsible for reporting annually to the “governing body” (or whoever is most senior in the organization) on:
(1) the confidentiality of nonpublic information and the integrity and security of the
covered entity’s information systems
(2) the covered entity’s cybersecurity policies and procedures;
(3) material cybersecurity risks to the covered entity;
(4) overall effectiveness of the covered entity’s cybersecurity program; [and]
(5) material cybersecurity events involving the covered entity during the time period
addressed by the report; and
(6) plans for remediating material inadequacies
The amendment effectively grants CISOs the authority to manage cybersecurity risks at their discretion, including the ability to direct sufficient resources to implement and maintain a cybersecurity program, and require that the CISO report to the senior governing body on any material cybersecurity issues.
The overall goal of these amendments to the CISO role pushes companies to restructure their oversight and funding of their cybersecurity program. If a CISO is not a current member of senior management, lacks an adequate budget or authority, and is not regularly reporting on the cybersecurity program – then there is a significant risk that NYDFS will consider the entire program as non-compliant.
Access management and multi-factor authentication are a staple component of the new changes. Companies must conduct a user access privilege review (at minimum annually), immediately terminate access after employee departures, and implement a written password policy that meets industry standards. MFA (multi-factor authentication) must be implemented for remote access to all privileged accounts, as well as to access the entity or third-party applications which host nonpublic information. It is important to note that the exemptions for this section have been removed and full MFA requirements will apply to all covered entities.
A revision of policies and procedures will be an arduous task for many companies. Section 500.5 states that covered entities are required to “develop and implement written policies and procedures for vulnerability management that are designed to assess the effectiveness of its cybersecurity program.” The required vulnerability management policies and procedures must require that covered entities at a minimum (i) conduct penetration testing (both inside and outside their systems) by qualified personnel, (ii) periodically, and after major system changes, conduct automated scans of systems, and if automated scans do not cover certain systems, manual scans, (iii) have monitoring processes to promptly inform the covered entity of the emergence of new security vulnerabilities, (iv) prioritize and timely remediate vulnerabilities, and (v) document and report material issues found during testing to the Board of Directors and senior management. The tracking of asset management has also been updated to require “(i) owner; (ii) location; (iii) classification or sensitivity; (iv) support expiration date; and (v) recovery time requirements.”.
There are limited exceptions for smaller companies in these amendments. An entity (including affiliates) with either fewer than 20 employees (including independent contractors) or less than $15 million in year-end total assets, is exempt from the following regulation sections: 500.4 (CISO requirements), 500.5 (penetration testing and vulnerability assessments), 500.6 (audit trails), 500.8 (application security), 500.10 (cybersecurity personnel), 500.14 (training and monitoring), 500.15 (encryption), and 500.16 (BCDR & IRP Plans).
Click here to read the full Regulation and view all upcoming changes in more detail.
If you have questions about compliance with the new regulations, or are in need of CISO services to ensure compliance with the new directive, please contact us at https://elevateconsult.com/contact-us/ or book an appointment here.
Sources: https://ipandmedialaw.fkks.com
https://www.dfs.ny.gov/industry_guidance/regulations
https://www.natlawreview.com