InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
NYDFS amends cybersecurity regs
On November 9, NYDFS proposed expanded amendments to the state’s cybersecurity regulation (23 NYCRR 500) to strengthen the Department’s risk-based approach for ensuring cybersecurity risk is integrated into regulated entities’ business planning, decision making, and ongoing risk management. NYDFS’ cybersecurity regulation took effect in March 2017 (covered by InfoBytes here) and imposes a series of cybersecurity requirements for banks, insurance companies, and other financial services institutions. NYDFS is proposing the new amendments via a data-driven approach to ensure regulated entities implement effective controls and best practices to protect consumers and businesses. “With cyber-attacks on the rise, it is critical that our regulation keeps pace with new threats and technology purpose-built to steal data or inflict harm,” Superintendent Adrienne A. Harris said in the announcement. “Cyber criminals go after all types of companies, big and small, across industries, which is why all of our regulated entities must comply with these standards – whether a bank, virtual currency company, or a health insurance company.”
Some changes within the proposed amended regulation include:
- New Obligations for Larger Companies. The proposed amended regulation adds a new subcategory of larger covered entities called “Class A companies,” which would be subject to additional security and external auditing requirements in addition to the general requirements that apply to all covered entities. This includes, among other things, a requirement to have an external audit of a Class A company’s cybersecurity program annually. Class A companies are defined as covered entities with at least $20 million in gross annual revenue in each of the last two fiscal years (generated from the business operations of a covered entity and its affiliates in New York) that have either (i) more than 2,000 employees averaged over the last two fiscal years (includes both the covered entity and all affiliates despite the location); or (ii) over $1 billion in gross annual revenue in each of the last two fiscal years (generated from all business operations of a covered entity and all of its affiliates).
- Cybersecurity Governance. The proposed amended regulation provides several enhancements to the Part 500 governance requirements including:
- The chief information security officer (CISO) must have adequate authority to ensure that cybersecurity risks are appropriately managed, including the ability to direct sufficient resources to implement and maintain a cybersecurity program.
- The CISO must present an annual written report to the covered entity’s senior governing body that addresses the covered entity’s cybersecurity program as well as five topics described in the regulation and the company’s plans for remediating material inadequacies.
- The CISO must timely report to the senior governing body material cybersecurity issues, such as updates to the covered entity’s risk assessment or major cyber events.
- If the covered entity has a board of directors or equivalent, the board or an appropriate committee shall have sufficient expertise and knowledge (or be advised by persons with sufficient knowledge and expertise) to exercise effective oversight of cyber risk management.
- Notice of Compliance. The annual certification of compliance must be signed by the covered entity’s highest-ranking executive and its CISO. The proposed amended regulation would allow a covered entity to choose to alternatively provide written acknowledgement that a covered entity did not fully comply with the regulation by describing the areas of noncompliance, including areas, systems, and processes that require material improvement, updating, or redesign, and a remedial plan and timeline for their implementation.
- Requirements for Resiliency, Business Continuity, and Disaster Recovery Plans. The proposed amended regulation adds significant documentation and technical requirements for business continuity and disaster recovery plans, including: (i) designation of essential data and personnel; (ii) communication preparations; (iii) back-up facilities; and (iv) identification of necessary third parties.
- Risk Assessments. The proposed amended regulation expands the definition of risk assessment. A covered entity’s risk assessment shall be reviewed and updated at least annually and whenever a change in the business or technology causes a material change to the covered entity’s cyber risk. Class A companies are required to use external experts to conduct a risk assessment at least once every three years.
- Technology. The proposed amended regulation adds several significant mandatory security control requirements, including:
- Asset Inventory: Each covered entity will be required to implement written policies and procedures to ensure a complete, accurate, and documented asset inventory. At a minimum, the policies and procedures should include a method to track key information for each asset, including, as applicable, the owner, location, classification or sensitivity, support expiration date, and recovery time requirements.
- Privilege Management: The proposed amended regulation introduces additional standards for privilege management, including, among other things, that covered entities must (i) limit privileged accounts to only those that are necessary and to conduct only specific functions; (ii) conduct access reviews on at least an annual basis; (iii) disable or securely configure remote access protocols; and (iv) promptly terminate access privileges for departing users.
- Multi-Factor Authentication: The proposed amendment expands the type of accounts and access types that require multi-factor authentication, to include all privileged accounts.
- Vulnerability Management: Cybersecurity programs must now, through policies and procedures, explicitly address internal and external vulnerabilities, remediate issues in a timely manner, and report material issues to senior management.
- Reporting Requirements. The proposed amended regulation contains provisions related to ransomware, including measures which would require entities to notify NYDFS within 72 hours of any unauthorized access to privileged accounts or “deployment of ransomware within a material part of the covered entity’s information system.” This timeframe also applies to cybersecurity events that occur at a third-party service provider. Entities would also be directed to provide the superintendent within 90 days of the notice of the cybersecurity event “any information requested regarding the investigation of the cybersecurity event.” Additionally, entities would also be directed to alert the Department within 24 hours of making a ransom payment. Within 30 days, entities must also explain the reasons that necessitated the ransomware payment, what alternatives to payment were considered, all diligence performed to find payment alternatives, and all diligence performed to ensure compliance with applicable OFAC rules and regulations, including federal sanctions implications.
- Small Business Exemption. NYDFS noted in its announcement that based on industry feedback as well as the operating realities facing small businesses, it is proposing to raise the exemption threshold for small companies. If adopted, limited exemptions will be provided to covered entities with (i) fewer than 20 employees, including any of the entity’s independent contractors or its affiliates located in the state or that are responsible for the business of a covered entity; (ii) less than $5 million in gross annual revenue in each of the last three fiscal years from business operations of a covered entity and its affiliates in the state; and (iii) less than $15 million in year-end total assets, including the assets of all affiliates.
The proposed amended regulation is subject to a 60-day comment period beginning on November 8th upon publication in the State Register. NYDFS stated it looks forward to receiving feedback on the proposed amended regulation during this comment period. As the comment period ends, NYDFS will then review received comments and either repropose a revised version or adopt the final regulation. Covered entities will have 180 days from the effective date to comply except as otherwise specified.
See continuing InfoBytes coverage on 23 NYCRR Part 500 here.
OFAC announces sanctions tied to drug trafficking
On November 9, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to Executive Order 14059 against three individuals and nine entities for supplying certain drugs to U.S. markets through internet sales and a host of shell companies. OFAC noted that the sanctions would not have been possible without collaboration with the Drug Enforcement Administration and Homeland Security Investigations. As a result of the sanctions, all property and interests in property belonging to the sanctioned persons subject to U.S. jurisdiction are blocked and must be reported to OFAC. Additionally, “any entities that are owned, directly or indirectly, 50 percent or more by one or more blocked persons are also blocked.” U.S. persons are also generally prohibited from engaging in any dealings involving the property or interests in property of blocked or designated persons. Persons that engage in certain transactions with the designated individuals or entities may themselves be exposed to sanctions or enforcement action, OFAC warned.
OFAC sanctions individuals associated with al-Qa’ida
On November 9, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to Executive Order 13224 against two business associates of a previously sanctioned al-Qa’ida financial facilitator and external operations plotter. According to OFAC, the two designated individuals in the recent action conducted business activities to assist the previously designated individual for facilitating the international movement of individuals and finances in furtherance of al-Qa’ida’s objectives. As a result of the sanctions, all property and interests in property belonging to the sanctioned persons subject to U.S. jurisdiction are blocked and must be reported to OFAC. Additionally, “any entities that are owned, directly or indirectly, 50 percent or more” by one or more blocked persons are also blocked. U.S. persons are also generally prohibited from engaging in any dealings involving the property or interests in property of blocked or designated persons. Persons that engage in certain transactions with the designated individuals or entities may themselves be exposed to secondary sanctions, OFAC warned, adding that foreign financial institutions that knowingly conduct or facilitate significant transactions to any of the sanctioned persons could also be subject to U.S. sanctions.
OFAC updates FAQs related to sanctioned virtual currency “mixer”
On November 8, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) published one new and three amended cyber-related FAQs related to sanctions issued in August against a virtual currency mixer accused of allegedly laundering more than $7 billion. As previously covered by InfoBytes, OFAC claimed the company “repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors on a regular basis.” Newly added FAQ 1095 clarifies that a designated “person” under Executive Order 13722 or 13694 is a “partnership, association, joint venture, corporation, group, subgroup, or other organization.” Amended FAQs 1076, 1078, and 1079 (i) explain how persons can complete transactions or withdraw virtual currency without violating U.S. sanctions regulations; (ii) clarify whether OFAC reporting obligations apply to “dusting” transactions (wherein “certain U.S. persons may have received unsolicited and nominal amounts of virtual currency or other virtual assets from [the sanctioned company’s] smart contracts”; and (iii) outline prohibitions resulting from the sanctions.
OFAC sanctions individuals connected to DPRK
On November 8, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions against two individuals for engaging in activities related to transportation and procurement activities on behalf of the Democratic People’s Republic of Korea (DPRK). According to OFAC, these individuals acted on behalf of an entity previously designated by OFAC for operating in the transportation industry in the DPRK economy (covered by InfoBytes here). OFAC also noted that the designation is a part of continuing efforts by the U.S. to limit DPRK’s ability to advance its unlawful weapons of mass destruction and ballistic missile programs, and follows numerous recent DPRK ballistic missile launches. As a result, all property, and interests in property of the designated persons that are in the U.S. or in the possession or control of U.S. persons, must be blocked and reported to OFAC. OFAC regulations generally prohibit all dealings by U.S. persons or within the U.S. (including transactions transiting the U.S.) that involve any property or interests in property of blocked or designated persons. OFAC further warned that engaging in certain transactions with the designated individuals and entities entails risk of designation. Additionally, OFAC warned that a foreign financial institution that knowingly facilitates a significant transaction or provides significant financial services for any of the designated individuals or entities could be subject to U.S. correspondent or payable-through account sanctions.
OFAC announces sanctions involving Burma’s military regime
On November 8, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to Executive Order 14014 against an individual and an entity that facilitate weapons purchases for Burma’s military regime. According to OFAC, the designation is in conjunction with newly issued European Union sanctions. OFAC also noted that “Burma’s military regime has continued to oppress and deny the will of the people to chart an inclusive, democratic future for their country,” and that the sanctions are not targeted toward the people of Burma but at “those who profit from the oppressive actions of the regime by operating in the defense sectors of Burma’s economy and by enabling Burma’s military connections to foreign militaries.” As a result of the sanctions, all property and interests in property belonging to the sanctioned persons that are in the United States or in the possession or control of U.S. persons are blocked and must be reported to OFAC. Additionally, “any entities that are owned, directly or indirectly, 50 percent or more by one or more blocked persons are also blocked.” U.S. persons are generally prohibited from engaging in any dealings involving the property or interests in property of blocked or designated persons, unless authorized by a general or specific OFAC license, or if otherwise exempt.
OFAC sanctions individuals and entities tied to ISIS
On November 7, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to Executive Order 13224 against four members of an Islamic State of Iraq and Syria (ISIS) cell operating in South Africa, along with eight companies owned, controlled, or directed by the individuals in the ISIS cell. According to OFAC, the individuals provided technical, financial, or material support to the terrorist group. As a result of the sanctions, all property and interests in property belonging to the sanctioned individuals and entities, and of “any entities that are owned, directly or indirectly, 50 percent or more by them, individually, or with other blocked persons” that are subject to U.S. jurisdiction are blocked. U.S. persons are also generally prohibited from engaging in any dealings involving the property or interests in property of blocked or designated persons. Persons that engage in certain transactions with the designated individuals or entities may themselves be exposed to designation, OFAC warned, adding that foreign financial institutions that knowingly conduct or facilitate significant transactions to any of the sanctioned persons could also be subject to U.S. sanctions.
OFAC sanctions Haitian politicians for narcotics trafficking
On November 4, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC), along with the Government of Canada, announced sanctions pursuant to Executive Order 14059 against two Haitian politicians for having allegedly “engaged in, or attempted to engage in, activities or transactions that have materially contributed to, or pose a significant risk of materially contributing to, the international proliferation of illicit drugs or their means of production.” OFAC said it coordinated its efforts closely with the Drug Enforcement Administration on this designation. As a result, all property, and interests in property of the designated individuals and “any entities that are owned, directly or indirectly, 50 percent or more by one or more blocked persons are also blocked.” OFAC’s regulations also generally prohibit all dealings by U.S. persons or within the United States (including transactions transiting the United States) that involve any property or interests in property of designated or otherwise blocked persons. OFAC also warned that “persons that engage in certain transactions with the individuals designated today may themselves be exposed to sanctions or subject to an enforcement action. Furthermore, unless an exception applies, any foreign financial institution that knowingly facilitates a significant transaction or provides significant financial services for the individuals designated today could be subject to U.S. sanctions.”
OFAC sanctions oil shipping network connected to IRGC-QF and Hizballah
On November 3, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to Executive Order 13224 against members of an international oil smuggling network for allegedly facilitating oil trades and generating revenue for Hizballah and the Islamic Revolutionary Guard Corps-Qods Force (IRGC-QF). Included are “several key individuals and numerous front companies and vessels involved in blending oil to conceal the Iranian origins of the shipments and exporting it around the world in support of Hizballah and the IRGC-QF.” According to Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson, the responsible individuals “use a web of shell companies and fraudulent tactics including document falsification to obfuscate the origins of Iranian oil, sell it on the international market, and evade sanctions” in order to generate revenue to enable Hizballah and IRGC-QF terrorist activities. The sanctions follow the designation of another Iranian oil smuggling network earlier in May (covered by InfoBytes here). As a result, all property, and interests in property of the designated persons, “and of any entities that are owned, directly or indirectly, 50 percent or more by them, individually, or with other blocked persons, that are in the United States or in the possession or control of U.S. persons, must be blocked and reported to OFAC.” Unless authorized by general or specific OFAC licenses or otherwise exempt, OFAC regulations generally prohibit all transactions by U.S. persons or within the United States (including transactions transiting the United States) that involve any property or interests in property of designated individuals. OFAC further warned that “engaging in certain transactions with the individuals and entities designated today entails risk of secondary sanctions.” Additionally, OFAC warned that a foreign financial institution that knowingly conducts or facilitates a significant transaction on behalf of a Specially Designated Global Terrorist could be subject to U.S. correspondent or payable-through account sanctions.
OFAC sanctions terrorist weapons trafficking network tied to ISIS-Somalia
On November 1, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to Executive Order 13224 against the Islamic State in Somalia (ISIS-Somalia) — marking the first time this affiliate of the Islamic State of Iraq and Syria (ISIS) is being designated. The action follows designations taken by OFAC earlier in the month against a network of financial facilitators who hold leadership roles and are key interlocutors between the group and local companies in Somalia (covered by InfoBytes here). According to OFAC, the designated persons serve as “critical nodes for a weapons trafficking network that is closely integrated with ISIS-Somalia,” and maintain “strong ties to al-Qa’ida in the Arabian Peninsula (AQAP) and al-Shabaab.” Addressing the significance of the sanctions, Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson said “[t]oday, we take direct aim at the networks funding and supplying both ISIS-Somalia and al-Shabaab that support their violent acts. The involvement of those designated today in other criminal activity, including piracy and illegal fishing, demonstrates the extent of ISIS-Somalia’s integration with illicit networks and other terrorist organizations operating in the region.” “Treasury is committed to working with partners in the region to disrupt the financing of ISIS and al-Shabaab,” Nelson said.
As a result of the sanctions, all property and interests in property belonging to the sanctioned persons subject to U.S. jurisdiction are blocked and must be reported to OFAC. Additionally, “any entities that are owned, directly or indirectly, 50 percent or more by one or more blocked persons are also blocked.” U.S. persons are also generally prohibited from engaging in any dealings involving the property or interests in property of blocked or designated persons. Persons that engage in certain transactions with the individuals or entities designated today may themselves be exposed to designation, OFAC warned, adding that foreign financial institutions that knowingly facilitate significant transactions or provide significant financial services to any of the sanctioned persons could also be subject to U.S. sanctions.