NYDFS publishes new proposal on cybersecurity regs

Privacy, Cyber Risk & Data Security State Issues NYDFS 23 NYCRR Part 500 State Regulators

On June 28, NYDFS published an updated proposed second amendment to the state’s cybersecurity regulation (23 NYCRR 500) reflecting revisions made by the department in response to comments received on proposed expanded amendments published last November. (Covered by InfoBytes here.) NYDFS’ cybersecurity regulation, effective in March 2017, imposes a series of cybersecurity requirements for banks, insurance companies, and other financial services institutions. (Covered by InfoBytes here.) Proposed changes include:

• New and amended definitions. The proposed second amendment defines “Chief Information Security Office or CISO” to mean “a qualified individual responsible for overseeing and implementing the covered entity’s cybersecurity program and enforcing its cybersecurity policy, who has adequate authority to ensure cybersecurity risks are appropriately managed, including the ability to direct sufficient resources to implement and maintain an effective cybersecurity program.” Certain references to a CISO’s responsibilities have been moved and slightly modified throughout. The amendments also clarify that affiliates should only include “those that share information systems, cybersecurity resources or all or any part of a cybersecurity program with the covered entity” for the purposes of calculating the number of employees and gross annual revenue for consideration as a “Class A Company.” The definition of a “privileged account” has also been modified to remove a condition that an authorized user account or service account be able to affect a material change to the technical or business operations of the covered entity. Risk assessments also no longer include a requirement that a covered entity “take into account the specific circumstances of the covered entity, including but not limited to its size, staffing, governance, businesses, services, products, operations, customers, counterparties, service providers, vendors, other relations and their locations, as well as the geographies and locations of its operations and business relations.” Additionally, “senior governing body” now specifies that for “any cybersecurity program or part of a cybersecurity program adopted from an affiliate under section 500.2(d) of this Part, the senior governing body may be that of the affiliate.”
• Notice of a cybersecurity event. Under 23 NYCRR 500, entities are required to notify NYDFS within 72 hours after a determination has been made that a cybersecurity event has occurred at a covered entity, its affiliates, or a third-party service provider. The amendments remove a 90-day period for covered entities to provide the superintendent with requested information, and instead provides that “[e]ach covered entity shall promptly provide any information requested regarding such event. Covered entities shall have a continuing obligation to update and supplement the information provided.” Covered entities will be required to maintain for examination, and now inspection by the department upon request, all records, schedules, and supporting data and documentation.
• Exemptions. The proposed second amendment now offers that “[a]n employee, agent, wholly-owned subsidiary, representative or designee of a covered entity, who is itself a covered entity, is exempt from this Part and need not develop its own cybersecurity program to the extent that the employee, agent, wholly-owned subsidiary, representative or designee is covered by the cybersecurity program of the covered entity.”
• Additional modifications. Other slight modifications have been made throughout that include removing a requirement that covered entities “document material issues found during testing and report them to its senior governing body and senior management,” and deleting a requirement that Class A companies use external experts to conduct risk assessments at least once every three years. The proposed second amendment makes changes to third-party service provider policy requirements and multi-factor authentication provisions and replaces a reference to a covered entity’s board of directors or equivalent with the “senior governing body.” Language defining these responsibilities has been slightly modified. Additionally, incident response plans must also now include a root cause analysis describing “how and why the event occurred, what business impact it had, and what will be done to prevent reoccurrence.” Furthermore, when assessing penalties, the superintendent may now also consider “the extent to which the relevant policies and procedures of the company are consistent with nationally recognized cybersecurity frameworks, such as NIST.”

The proposed second amendment is subject to a 45-day comment period expiring August 14.