On November 9, 2022, the New York State Department of Financial Services (NYDFS) announced the proposed update to its initial cybersecurity regulation, 23 New York Codes, Rules and Regulations (NYCRR) 5001. The purpose of the NYDFS 23 NYCRR 500 is to protect financial services companies and their customers from ever-growing cybersecurity threats. The regulation is applicable to banks, insurance companies, New York State-licensed branches, and agencies of non-US banks, and all other financial services companies that are supervised by the NYDFS. The objective of the proposed update is to address new threats from cybersecurity attacks using sophisticated technologies. The proposed amendment has introduced the concept of Class A companies, which will be required to follow more stringent requirements.
The proposed update states: “Class A companies mean those covered entities with at least $20,000,000 in gross annual revenue in each of the last two fiscal years from business operations of the covered entity and its affiliates in this State and (1) over 2,000 employees averaged over the last two fiscal years, including those of both the covered entity and all of its affiliates no matter where located; or (2) over $1,000,000,000 in gross annual revenue in each of the last two fiscal years from all business operations of the covered entity and all of its affiliates.” The proposed update to the regulation will be under a 60-day comment period. Subsequent to the comment period, NYDFS will either repropose a revised version or adopt the final regulation.
Proposed Changes to the Key Cybersecurity Requirements
The 23 NYCRR 500 rule requires that each entity assess its cybersecurity risk profile and develop a robust program to address cybersecurity risks. The proposed key amendments to the regulations include:
- Cybersecurity Program: Class A companies need to conduct an independent cybersecurity audit at least annually.
- Cybersecurity Governance: The proposed amendment further delineates the roles and responsibilities of the executive management, board of directors, and the chief information security officer (CISO). The executive management or its delegate is responsible for developing and implementing the cybersecurity program, while the board of directors will exercise oversight of the program. Additionally, the CISO needs to report material cybersecurity issues to the senior governing body.2
- Vulnerability Management: Organizations need to conduct both internal and external penetration testing at least annually. Additionally, organizations need to perform automated and manual scans of the information systems to identify vulnerabilities. The proposed amendment has also suggested risk-based prioritization of the identified vulnerabilities for remediation.
- Access Privileges and Management: The amendment proposes to limit the number of privileged accounts with access to nonpublic information and also limit the access functionalities of those accounts based on job requirements. Additionally, the privileged accounts need to be reviewed at least annually. It has also introduced new requirements related to user access review, account monitoring, and password standards.
- Asset Management and Data Retention Requirements: Organizations need to maintain an accurate and documented inventory of information assets with the following key information: (i) owner, (ii) location, (iii) classification or sensitivity, (iv) support expiration date, and (v) recovery time requirements.
- Monitoring and Training: Class A companies need to implement an endpoint detection and monitoring solution. Additionally, the amendment emphasizes the training requirements for employees.
- Incident Response and Business Continuity Management: The proposed amendment has introduced detailed requirements for Business Continuity and Disaster Recovery. It has also enhanced the requirements related to incident response plans.
In today’s world, cybersecurity has become more critical than ever before. As regulators seek to outmaneuver the cybersecurity threats by introducing new regulations or amendments to the existing regulations, the growth of digital technologies is introducing new challenges. With the advent of cloud infrastructure, artificial intelligence, and big data, the complexity of managing cybersecurity risks will only increase. A key to success is to treat cybersecurity as a critical management issue rather than only a technology requirement.
How Guidehouse Can Help
Guidehouse has assisted numerous clients in assessing their cybersecurity and operationalizing compliance requirements using regulations, standards, and guidance issued by cybersecurity authorities and global data privacy regulations. We have supported our clients by:
- Conducting assessments of the current state of an organization’s cybersecurity posture and developing a roadmap to achieve compliance with cybersecurity regulations and standards.
- Assisting with the implementation of a cybersecurity program that is technologically sound and sustainable, including designing and documenting policies, procedures, and the control environment.
- Conducting assessments to ensure design adequacy and operating effectiveness of the cybersecurity controls.
- Designing and building cybersecurity resiliency programs.
- Providing executive support, including CISO as a Service.
1 NEW YORK STATE DEPARTMENT OF FINANCIAL SERVICES 23 NYCRR 500 - CYBERSECURITY REQUIREMENTS FOR FINANCIAL SERVICES COMPANIES.
2 Covered entity’s board of directors or equivalent.