On November 9, 2022, the New York Department of Financial Services (NYDFS) issued a proposed second amendment to its 2017 Cybersecurity Regulation 23 NYCRR 500 (“Proposed Amendments”). The publication of these Proposed Amendments comes in the wake of a buzz-worthy pre-proposal comment period, where the NYDFS considered the comments received in response to the pre-proposed amendments. The 60-day public comment period for the Proposed Amendments will end on January 9, 2023. These amendments create a new subset of covered entities subject to further requirements. Moreover, they set new cybersecurity obligations regarding incident reporting times, governance, and technical and organizational needs. This post discusses some of the more significant changes identified in the Proposed Amendments that will impose additional requirements on the new category of covered entities.

The Proposed Amendments would have a new category of “Class A companies,” described as covered entities with $20 million or more in gross annual revenue in the prior two (2) fiscal years from business operations (including the covered entity and its affiliates) in New York, and either:  (i) over 2,000 employees averaged over the past two (2) fiscal years (this includes those of both the covered entity and its affiliates despite the location); or (ii) more than $1 billion in gross annual revenue in each of the previous two (2) fiscal years from all business operations of the covered entity and its affiliates. This new category class will face cybersecurity requirements beyond those customarily imposed on covered entities.

Two critical new requirements include independent audits and risk assessments. Entities under “Class A” must undertake independent audits of their cybersecurity programs, conducted by external auditors “free to make decisions not influenced by” the covered entity. There is a distinct difference between this “independent audit” and the “independent audit” discussed in the pre-proposed amendments. An internal and external auditor would have been allowed to conduct an “independent audit” under the pre-proposed amendments.

In addition, covered entities must review and update their risk assessment annually. They must use external experts to conduct their risk assessment at least once every three (3) years. Currently, covered entities only need to conduct risk assessments “periodically” and “as reasonably necessary to address changes to the covered entity’s information systems, nonpublic information, or business operations.” Further, “whenever a change in the business or technology causes a material change to the covered entity’s cyber risk, Class A companies would be required to change to the covered entity’s cyber risk.”

The Proposed Amendments also have new incident reporting provisions. Each covered entity must provide NYDFS with the requested information about the investigation of a notified cybersecurity incident in a standard electronic form. This reporting has a 90-day response period for the investigative findings [500.17(a)(2)]. Covered entities must also report third-party cybersecurity incidents on a 72-hour notification deadline, beginning from the time the covered entity is aware of the event [500.17(a)(3)].

The Proposed Amendments introduce additional requirements for Chief Information Security Officers (“CISOs”) and board members. In this regard, New York continues demonstrating to companies that corporate governance is essential. The Proposed Amendments remove the CISO independence requirement covered in the pre-proposed amendment. However, the Proposed Amendments require the CISO to have the ability to direct sufficient resources to implement and maintain a cybersecurity program. In particular, a corporate board must incorporate the following factors: significant cyber risk expertise and knowledge for effective oversight, approval of a company’s security policies, procedures, and risk assessment, receiving briefings from the CISO at least annually, and review any material issues that arise from vulnerability assessments & pen tests. Despite the CISO and board members having individual requirements, a company’s senior management and leaders must also be proactive. The CEO and CISO must co-sign an annual attestation of security compliance. While the CEO and senior officers must participate in incident response plan testing, the latter must be present during business continuity plan testing.

In light of the new Proposed Amendments, there are a few points covered entities may want to note regarding the impact on their business. If they are adopted, covered entities and NYDFS-regulated entities should consider taking the following steps in preparation for compliance:

1. Conducting tabletop exercises. These tabletops will ensure that the employees under a covered entity are well-trained in their roles and responsibilities in mitigating harm in the event of an incident.
2. Establish whether your entity is a Class A company, and covered entities should assess whether they may be further subject to the additional compliance obligations imposed on Class A companies.
3. Revise current incident response plans to reflect the Proposed Amendments and new notification obligations for ransomware, unauthorized access to privileged accounts, and third-party security events, including the reporting requirements. The revision should also include a justification for what could be labeled as extortion payments.

NYDFS’ Proposed Amendments further evidence that cyber risk is not simply a technical issue. Thus, a company’s entire security team, the board, and the management team must ensure that it remains their mandatory core responsibility. Covered entities must also assess their cybersecurity practices and procedures to ensure they have sufficient controls to comply with these anticipated New York regulatory changes.