The proposed changes to 23 NYCRR 500 (“Part 500”) indicate a shift in the Department of Financial Services’ approach to cybersecurity within companies falling under its jurisdiction. The DFS made a point of altering the language to spread accountability for cybersecurity from only falling under the CISO to a “senior governing body.” This change demonstrates the DFS’s understanding and the assertion that cybersecurity is something considered across an enterprise.
DFS’s proposed amendments also underscore the need for heightened focus on annual processes to reinforce cybersecurity practices within an organization. The proposed amendments also add a distinction between covered entities and Class A entities, the latter requiring stricter and more stringent regulations. As defined in these changes, Class A entities are covered entities (entities operating under a license, registration, charter, certificate, permit, accreditation, or similar authorization under the Banking Law, the Insurance Law, or the Financial Services Law, including entities that are also regulated by other government agencies) which have either over 2,000 employees or over $1 billion in average gross annual revenue. As a whole, these changes point towards the continued shift in the perception of cybersecurity from a subset of risk management to a significant business requirement.
For Senior Leadership:
The primary responsibility these proposed rule changes place on senior leadership is a requirement to form a senior governing body composed of the board of directors or an appropriate committee with sufficient expertise and knowledge of cyber risk and cybersecurity. This body is required to develop, implement, and maintain an information security program. The CISO will primarily report to this senior governing body. Additionally, the changes to this rule stipulate that the CISO is given adequate independence and authority to ensure cybersecurity risks can be properly managed.
The proposed amended rules require electronic notification to DFS within 72 hours from the time a cyber incident is discovered. Qualifying incidents were expanded to include events with an unauthorized user gaining access to a privileged account and ransomware events. Entities would be required to submit a notice to the Department of ransomware payments within 24 hours and submit a full explanation of the incident within 30 days. Entities would also be required to provide an annual written certification of compliance to Part 500 by April 15.
For CISOs:
One of the main changes proposed by DFS in this rule is the requirements for annual approval, testing, and review of various policies. Policies that will now require annual senior governing body approval:
- End-of-life management
- Remote access controls and management
- Vulnerability and patch management
Actions that must now be taken at regular intervals:
- Annual independent penetration testing
- Vulnerability scanning
- Class A: Weekly
- Other: Appropriately regular intervals
- Risk Assessment Updates
- Annual
- Impact Assessments
- All: Following any changes to business or technology in enterprise
- Class A: additional external expert risk assessments conducted every three years
- Phishing training and Cybersecurity Awareness (to include exercises and simulations as appropriate)
- All: As deemed appropriate
- Incident Response Plan Testing
- All: As deemed appropriate
- BCDR Plan testing
- All: As deemed appropriate
- Backup restoration testing
- All: As deemed appropriate
- All: As deemed appropriate
The CISO will report the results of all testing as well as material cyber issues/events and updates to risk assessment policies to the senior governing body.
Additional requirements to be integrated into a cyber risk assessment program include:
- Limits on user access to information necessary to perform the user’s job
- Limits on the number of privileged accounts
- Periodic review of user access privileges
- Disable/securely configure permissions for remote control of devices
- Class A must actively monitor privileged accounts and must implement a password vault solution for privileged accounts and an automated method of blocking commonly used passwords from being used
CISOs of Class A enterprises must ensure an endpoint detection and response solution and a solution to centralize logging and security event alerting are deployed across its network.