NYDFS Bolsters Cybersecurity Requirements
Effective November 1, 2023, the Part 500 amendment to the NYDFS Cybersecurity Regulation (23 NYCRR 500) is a new set of cybersecurity requirements for all covered financial institutions. The NYDFS bolsters cybersecurity requirements through a series of changes that address both the advancements of the cybersecurity threat landscape as well as increased opportunities for organizations to protect themselves.
The wide-sweeping amendments to the regulation include significant changes to everything from mandated cybersecurity policies, to appointments of Chief Information Security Officers, and increased testing, controls, and risk assessment. For a full summary of the required changes, visit Mayer Brown’s post on the subject.
While understanding all of these changes is crucial to operational compliance, in this article we will focus on the changes to the incident management and reporting requirements to better understand growing relevance of event reporting to GRC operations and how organizations can operationalize reporting into a consistent and collaborative process.
NYDFS Reporting Requirements
The NYDFS Cybersecurity Rule includes robust security policy requirements. For incident response, the initial draft in 2018 mandates a 72-hour data breach notification timeline to the regulator. In its second iteration, the rule requires CISO’s to prepare annual reports that inform regulators of:
- The organization’s cybersecurity policies and procedures
- The organization’s security risks
- The effectiveness of the organization’s existing cybersecurity measures
As part of a robust cybersecurity program, the rule entails documentation of procedures, standards, and guidelines for in-house applications, documentation for evaluating third-party applications, and audit trails for threat detection and response among other security requirements.
Concerning reporting, the latest draft of the rule (henceforth, the “November Draft”) requires organizations to notify the NYDFS about all cybersecurity events that carry a “reasonable likelihood” of causing material harm. This includes incident documentation and reporting of material cybersecurity issues and updates to risk assessments and major cyber events.
Mayer Brown outlines the three types of cybersecurity events that require notification as:
- Cybersecurity events where an unauthorized user has gained access to a privileged account;
- Cybersecurity events that resulted in the deployment of ransomware within a material part of the covered entity’s information system; or
- Cybersecurity events at a third-party service provider that affect a covered entity. It also would require a covered entity to provide and update information that NYDFS may request regarding the investigation of the cybersecurity event.
In addition to regulator and Board notification of incident management processes, organizations must also report any extortion payments made in relation to cybersecurity events within 24 hours of making the payment and within 30 days, must notify NYDFS of the reasons the payment was necessary along with documentation of alternatives to payment.
For compliance and security leaders observing the changing regulatory landscape, the November Draft’s amendment to include Board visibility mirrors the SEC Cybersecurity Disclosure Rule, expanding the presence of transparent, documented processes as crucial to regulatory compliance and equips Board members with sufficient knowledge and expertise to oversee cyber risk.
Material Compliance as Part of a Balanced Program
Central to the November Draft is the requirement that organizations identify “material” events and assess “material” compliance. The definition of materiality will be different for every organization, however, with your definition established, you have a consistent criteria available to assess harm across your organization.
With a consistent, scalable approach to material assessment, your organization is prepared to defend your notification decision to regulators and can make decisions quickly as incidents arise.
As regulations at the state and Federal level evolve to include nuanced and organization-specific evaluation of incident severity, it is crucial for security, compliance, and privacy leaders to adopt solutions that enable consistent, documented assessment of cyber events.
Additionally, by leveraging automation of material risk assessments, organizations can streamline decision making around annual security testing, third-party risk assessments, and policy reviews required by the November Draft. By operationalizing these assessments, organizations will be able to move beyond manual processes for annual certification and notification and be able to provide regulators with a single source of truth for all compliance notification decisioning.
If the final form of the November Draft amendments is similar to their current form, then covered entities should begin preparing to meet the requirements of the regulations. Moreover, businesses not subject to the DFS regulation should review the regulations to gain an understanding of potential future trends in cyber regulations, as DFS regulations have a track record of being adopted by other state and federal regulators.