Cyber Security Changes in NY: Are You Ready?

Written By Nicholas Mancini

Conforming to cybersecurity regulations might feel like an uphill battle due to the complicated stack of federal legislation, state mandates, and industry best practices. For those in New York, the list of rules is about to undergo another set of changes.

The New York Department of Financial Services (NYDFS) recently proposed substantial amendments to the cybersecurity rules enacted in March 2017. Many small firms wrongly assume that these amendments target larger entities, but they should be careful about dismissing them.

Countless aspects of these amendments will impact covered entities of all sizes—such as the need for board sign off on the cybersecurity plan, implement training for participating employees, and routinely test that plan throughout the year. Overall, these amendments cover six categories, including governance, risk assessments, and penalties. Here's what you need to know.

What Is the NYDFS Changing?

The proposed changes pertain to the Part 500 Cybersecurity Rules, which first went into effect in March 2017. These rules have since become the gold standard, with other states adopting similar requirements. However, the continuously evolving world of cybersecurity means that these rules must change alongside it.

Some of the amendments under discussion appeared in the NYDFS’s 2021 Ransomware Guidance, with the entire set of amendments released one year later in July. Here is an overview of the most substantial categories.

Establishing "Class A" Companies

First, the NYDFS proposes a new classification of entities, known as "Class A" companies. While the amendments are not yet finalized, the current proposed guidelines state that a Class A company has: Over 2,000 employees or an average gross annual revenue of $1 billion or more over the last three fiscal years.

Any covered entity that exceeds a specific number of employees or gross yearly income would be classified as a Class A company and required to comply with several obligations. However, even if not needed, some boards and investors will likely treat all of their investments equally regardless of the Class A designation.

The responsibilities might entail the following:

  • Class A companies will be required to conduct annual independent cybersecurity audits and routine scans or weekly reviews as part of the proposed rules.

  • Other proposed requirements include account monitoring, password vaulting, and automated password controls for privileged accounts.

Involving Board Members

The proposed rule changes attempt to generate active involvement from the board of directors regarding cybersecurity programs. More specifically, board members will be required to partake in cybersecurity planning and may be directed to:

  • Approve cybersecurity policies on an annual basis;

  • Set requirements for executive management to develop, implement, and maintain an information security program;

  • Review documentation of all security gaps identified during routine testing; and

  • Possess or be advised by someone who possesses deep expertise regarding cyber risks.

Updating Notifications Requirements

Under the amendments, covered entities would face more stringent notification requirements. For instance:

  • Covered entities must notify the NYDFS Superintendent within 72 hours if a cybersecurity event results in unauthorized access to a privileged account or ransomware deployment within specific parts of the entity's systems.

  • If an extortion payment is made in connection with an event, a covered entity must notify the NYDFS Superintendent within 24 hours of making the payment. Additionally, they must submit a written description detailing the alternatives and risks explored within 30 days of that payment.

Clarifying Violations and Penalty Assessments

The latest amendments clarify what constitutes a violation, which means penalties may apply in situations where they previously did not. For instance, the amendments state that a violation occurs when:

  • Unauthorized access to nonpublic information results from noncompliance with any NYDFS regulations.

  • A covered entity fails to comply with any section of the rules for any 24-hour period.

The amendments also specify how to assess penalties, suggesting multiple factors be considered. These factors might include the covered entity's good faith efforts, history of violations, the number of violations, and the length of time violations were unresolved.

Do These New Rules Impact You? 

The attempt to establish a "Class A" definition has been one of the main points of discussion regarding the NYDFS amendments. After all, this new classification would pose additional requirements for medium-size and large firms. Yet, other proposed changes deserve attention, especially since they will impact large and small covered entities.

It's important to understand that these amendments are not yet finalized, even though the 10-day pre-proposal period for comments closed on August 8. The official proposed amendments will be published in the coming weeks, followed by a 60-day comment period.

Given the timeline, it's difficult to say what the final amendments will look like, but staying on top of these proposed changes gives smaller firms a head start in preparing for the inevitable changes. For instance, if you don't already have an asset tracking system or your incident response plan is outdated, now is the time to get ahead of the regulations and future-proof your cybersecurity strategy.

Nicholas Mancini
Previous

What is IT governance, and why do you need it in your business?
Next

Does Your Technology Work for You, or Do You Work for Your Technology?