Author: John Farley
On June 28, 2023, The New York State Department of Financial Services (DFS) issued an updated proposed Second Amendment of the Cybersecurity Regulation, 23 NYCRR Part 500.1 The latest proposal will impose significant compliance requirements on a wide range of organizations in the financial industry sector. Organizations that may be affected should refer to the original Cybersecurity Regulation that went into effect on March 1, 2017, along with this and other proposed amendments that may be introduced and/or finalized in the future.
To whom does the latest DFS proposed second amendment apply?
The new proposal will apply to any financial services company subject to the Financial Services Law, Insurance Law and/or Banking Law (a Covered Entity).
It also establishes a threshold for Class A Companies subject to heightened requirements, qualified by the following elements:
- Covered Entities with at least $20 million in gross annual revenue in each of the last two fiscal years from operations in New York
- Over 2,000 employees over the last two years (including affiliates), or over $1 billion in gross annual revenue for the last two fiscal years from all business operations of the Covered Entity and its affiliates.
Key compliance requirements
Covered Entities must undertake the following:
- Notify DFS within 72 hours of a determination that a cybersecurity event has occurred and within 24 hours of an extortion payment, with a written explanation due within 30 days of the payment. The written description of the extortion payment must explain the reasons payment was necessary, and describe alternatives to payment considered, all diligence performed to find alternatives to payment, and all diligence performed to ensure compliance with applicable rules and regulations, including those of the Office of Foreign Assets Control.
- Generally mandate a comprehensive list of cybersecurity controls. These controls include but aren't limited to multi-factor authentication (MFA), endpoint detection and response (EDR), penetration testing, data governance programs and other controls. It also requires plans to remediate "material inadequacies."
- Impose several requirements for a Covered Entity to monitor its cybersecurity program at least annually, or when there's a material change within the network/computer systems.
There are no specific fines stated for non-compliance. However, the Superintendent has broad power to consider various factors in the setting of any fine.
The complete details of the updated proposed Second Amendment are available on the Proposed Financial Services Regulations page.2
Compliance strategies
Our clients that this new proposal may affect should communicate this compliance requirement to key stakeholders within their respective organizations. In addition, cyber incident response plans should be updated to reflect actions needed to meet the expectations of regulators.
Most Cyber insurance policies provide 24/7 access to several breach response experts, including breach coaches who can provide regulatory compliance guidance and forensic investigators who can investigate cyber incidents quickly and efficiently. These vendors may be crucial in navigating and complying with the DFS's and other legal reporting requirements in the aftermath of a cyber incident, and should play important roles in incident response plans.
Organizations should also be aware of the rapidly evolving Cyber insurance products that may impact the scope of insurance coverage. The 2023 Cyber insurance market is changing rapidly. It's spurred Cyber insurers to use various methods to reduce their cascading losses for regulatory risk, such as the issues unfolding around the use of technology. Sub-limits and coinsurance are often imposed for certain cyber losses. In addition, some carriers have modified Cyber insurance policy language to restrict or even exclude coverage for certain incidents that give rise to costs incurred for regulatory investigations, lawsuits, settlements and fines.
