On NYDFS publishes proposed amendments to Cybersecurity Regulation for covered entities

The New York Department of Financial Services (NYDFS) has recently published proposed amendments to significantly expand Cybersecurity Requirements for Financial Services Companies under 23 NYCRR 500 (the “NYDFS Cybersecurity Regulation). These developments are happening amid an outbreak of other, largely uncoordinated U.S. government initiatives to further regulate cybersecurity practices.

  The proposed amendments would create a new subset of covered entity (“Class A companies”) subject to additional requirements and would impose new cybersecurity obligations around governance, incident reporting, business continuity and disaster recovery plans, as well as additional technical and organizational requirements for all covered entities. Covered entities include insurance entities, virtual currency businesses, mortgage lenders and US branches, agencies and representative offices of foreign banks. They are affiliates of other companies – parents, subsidiaries, etc. – and often share information technology and cybersecurity resources and programs with those affiliates.

  To better understand the enforcement risks and the next steps that covered entities should keep in mind around these proposed amendments.

· Enforcement Risks and Proposed Amendments: Paul and Peter can discuss how NYDFS-regulated entities should be aware that the proposed amendments make clear that a covered entity that commits a single act prohibited by the NYDFS Cybersecurity Regulation, or that fails to comply with any obligation (including failure to comply for any 24-hour period), would be viewed as in violation of the NYDFS Cybersecurity Regulation and may be subject to enforcement by NYDFS.

· Next Steps for Covered Entities: Paul and Peter can talk about how covered entities may wish to consider now the impact of the proposed amendments on their business, and whether there are elements of the proposed amendments for which comments to NYDFS may be warranted (whether directly or through industry groups).If the proposed amendments are adopted, NYDFS-regulated entities are well advised to take a number of steps to prepare for compliance, including (but not limited to):

o Determine whether the entity is a Class A company. Covered entities will want to carefully assess whether they may be subject to the additional compliance obligations imposed on Class A companies.

o Update incident response plans. Covered entities may wish to update their existing incident response plans to account for the proposed amendments’ new notification obligations related to ransomware, unauthorized access to privileged accounts, and third-party security events, as well as the requirements to report and justify extortion payments.

o Map the entity’s data. To facilitate compliance with the NYDFS Cybersecurity Regulation’s new requirement that covered entities maintain written policies and procedures to ensure complete and accurate asset inventories, covered entities will want to ensure that they have a full understanding of their information flows and data assets.

o Evaluate existing privileged accounts. The proposed amendments would impose various new requirements related to privileged accounts, which is defined broadly to include any user or service account that can be used to “affect a material change” to the covered entity’s technical or business operations. Identifying which accounts fall into this category will be an important part of confirming that a covered entity meets its new compliance obligations.

o Consider conducting tabletop exercises. Tabletop exercises conducted under the guidance of experienced cybersecurity and resiliency professionals may help to ensure that employees supporting a covered entity’s incident response and BCDR plans are trained on their roles and responsibilities and well-positioned to mitigate harm in the event of an incident or outage.

  The comment period for the Proposed Amendments will run until Jan. 8, 2023. If adopted, most amendments will take effect 180 days from the date of adoption.

 A Client Alert from Hogan Lovell’s  is the source of this summary, thanks to Paul Otto and Peter Marta. Paul understands the regulatory environment surrounding cybersecurity risk management and incident response. Leveraging his technical background and capabilities in computer science and engineering, Paul brings insight to clients as a compliance counselor who understands hardware, software, and technological innovation. He has coordinated and managed hundreds of cybersecurity assessments and data incident responses, as well as associated enhancement/remediation plans.

  Peter (Pete) Marta’s leading in-house and government experience helps companies prepare for and respond to cybersecurity incidents. He joined the firm’s top-ranked Cybersecurity practice after serving as the global head of cybersecurity law at JPMorgan Chase, where he was head counsel to the firm’s chief information security officer and its chief security officer. In that role, Pete counseled all levels of the organization, from its security operations centers to the boardroom.