Proposed revisions by the New York State Department of Financial Services (NYSDFS) to its Part 500 cybersecurity requirements would shore up cyber weaknesses found in recent enforcement actions. These are the same shortcomings associated with inability to withstand ransomware attacks, according to the regulator’s June 2021 ransomware guidance and its December 2021 MFA guidance. The proposal (called the “June draft” in this article) revises an earlier proposal from November 2022 and is expected to be finalized by the end of 2023.
The amendment remains more prescriptive and stringent than the current requirements, giving leading practices the force of regulatory requirement for covered entities (referred to here as "firms") and, in certain cases, their third-party service providers. The June draft includes enhanced requirements for password systems, asset inventory, data management, business continuity and disaster recovery (BCDR), notification, governance, testing, training and enforcement.
What has changed since the November draft? While the June draft remains largely consistent with the earlier proposal, it contains impactful changes for the new category of large companies as well as extended timelines for all companies to comply with some of the more challenging requirements. These changes include:
Shorter timeline for CEO to cosign. All revisions to notice requirements, including certification and cybersecurity event reporting (500.17 Notices to the Superintendent), now take effect within 30 days. Contrast this to the 180-day transition period for most requirements and extended timelines for tougher sections. This now includes the updated certification requirements, notably the requirement that the highest-ranking executive (usually the CEO) cosign the certification along with the CISO. The certification must be based on “data and documentation sufficient to accurately determine and demonstrate such compliance,” including where applicable from affiliates and third parties. If a firm can’t certify material compliance, it must file a written statement with remediation timelines.
Transition periods extended. The publication of the revisions for a 45-day comment period means most of the other changes won’t take effect during calendar year 2023, as most are subject to a 180-day transition period.
Within one year. Requirements for ad hoc CISO reporting to the board (500.4) and data encryption (500.15) take effect. The new requirements for incident response and disaster recovery, including testing and ability to restore from backups (500.16) are now fully permitted to be met in the one-year transition period, whereas previously only the ability to restore from backups had the extended compliance timeline.
Within 18 months. All firms must meet the revised requirements for access management (500.7). Previously, only Class A companies had an extended timeline for compliance with privileged access management enhancements required only of them (500.7(b)).
Within two years. Firms have two years to implement enhancements to multi-factor authentication (500.12). The two-year transition period for implementing enhancements to the asset inventory requirements are unchanged from the November proposal.
Class A company definition narrowed. The prior amendment considered the covered entity to be Class A based on total revenue and total employees only. The definition now includes affiliates who share information systems, cyber resources or any part of a cybersecurity program with the firm.
Internal auditors can perform the independent audit. While the independent audit requirement for Class A companies remains, the prior draft required external parties to conduct the audit. Now the firm can be audited through external or internal audit teams.
External risk assessment requirement eliminated. The November draft’s requirement that Class A companies use external experts to conduct a risk assessment at least once every three years has been dropped.
“Full” compliance is now “material” compliance. While the current effective version simply requires “compliance,” and the November proposal specified “full compliance,” the June draft introduces the ability to certify for “material” compliance. The June draft does not define “material,” and therefore it will be up to firms to establish criteria for materiality. The revision also introduces the concept of material compliance in 500.20(b), Enforcement, which establishes criteria for citing violations that can lead to fines and other penalties.
What hasn’t changed? Most of it. While several challenging enhancements now have longer transition periods, aside from the elimination of external audit and external risk assessment, the hard parts remain. The longer transition periods reflect an acknowledgement that the revision’s core requirements may pose significant challenges to firms.
Compliance and governance focus. Throughout the regulation, the NYSDFS specifies that certain activities must be conducted at least annually and introduces the requirement that compensating controls be reviewed and approved in writing. The new incident response and BCDR requirements specify annual testing, and the risk assessment must be executed at least annually with the policies and procedures it drives reviewed and approved at least annually as well. While an annual or more frequent cadence of control execution and program validation is implied by the annual certification requirement, the NYSDFS is making its views explicit: Do this at least annually and be able to prove it with certification based on data and documentation.
The data-and-documentation basis for certification indicates that the regulator has seen shortcomings in firms’ approaches to evidencing compliance. Indeed, many of the enforcement actions under Part 500 have cited shortcomings in compliance certification (500.17(b) violations). The addition of the requirement that a firm’s highest ranking executive cosign the certification, or written acknowledgement of noncompliance, raises the bar on the cybersecurity program — the CISO may have no qualms signing off on the program based on direct knowledge, but proving the program is compliant to a non-cyber executive may be difficult. It’s a challenge that firms may need to overcome by year-end.
The June draft is subject to a shorter, 45-day comment period and therefore will likely be finalized in time for the revised notice requirements to become effective for the December 31, 2023 certification, which is due April 15, 2024.
Start now. The new requirements may be challenging for many organizations, especially those granted longer transition periods. Couple this with the modest extent of changes from the November proposal and the message is clear: These changes may be hard, but NYSDFS expects you to be in compliance by the deadlines. For larger firms, start analyzing whether the Class A designation applies. All firms should set aside resources for compliance planning and preparations in their next annual budgeting cycle. For example, the elimination of text messages as a permissible component of a multi-factor authentication (MFA) solution and the requirement that the CISO review and approve at least annually in writing any compensating controls may require enhancing your approach to MFA. Applying and periodically reviewing the principle of least privilege and privilege account management may be a heavy lift, depending on the firm’s size and complexity.
Enhance compliance evidence for CEO sign-off. Don’t lose sight of changes required before the year-end — compliance evidence and CEO sign-off. While many of the changes likely won’t take effect this calendar year, and therefore won’t come into scope for the December 31, 2023 certification due by April 15, 2024, the requirement that the CEO cosign with the CISO and that certification be based on data and documentation sufficient to demonstrate “material” compliance will. Some firms may be able to present a single package of documentation demonstrating how each requirement is met, with mapping to policies, procedures, controls and control execution or testing evidence. Others will not.
Define “material.” Because regulation now requires “material” compliance, and several sections refer to materiality thresholds, you should establish documented criteria for assessing materiality. Doing so will make evaluating and evidencing compliance easier in the event examiners raise questions.
Identify areas that require immediate attention. Completing a full asset inventory to meet the revised requirements may take time, and that inventory will be necessary to inform the risk assessment that your entire cybersecurity program is based on. For many firms, conducting and maintaining a complete asset inventory will be challenging, making it the “long pole in the tent” — even with two years to complete it.
Identify stakeholders, critical paths and necessary staging. Stakeholders include staff, senior management, the board and customers who may be affected by the enhanced security requirements needed to access their accounts. Some changes may be low-hanging fruit — administrative changes to incident-reporting protocols — but others, such as endpoint detection for Class A companies, the asset inventory and BCDR testing, will need more involvement from other stakeholders throughout the organization.
Review your current pace of testing, control execution, control testing and evidence collection. You may need to accelerate your testing to meet deadlines, while implementing readiness and business continuity plans are also required. Make sure you have the right talent on board in all three lines of defense, especially in this tight labor market. Document control execution evidence, as well as evidence of second- and third-line testing, to support annual certification.
The June draft may grant longer transition periods and reduce the need for external validation of cybersecurity programs, but it is more remarkable for how consistent it is with the prior drafts. It still elevates leading practices to regulatory requirements, and the NYSDFS has demonstrated through a dozen enforcement actions citing violations of the current regulation that noncompliance is not an option. Regardless of regulation’s final form, using the amendment as a guidepost to enhance your cyber programs not only helps prepare your firm for regulatory scrutiny but can better safeguard your organization, its customers and its reputation.
With longer transition periods now contemplated, you will have more time to meet some of the draft’s expectations, although changes to the certification process will still take effect by year-end 2023. With technology budgets typically set in the fourth quarter, you should still begin assessing potential impact before the regulation is finalized.