Are You Prepared for Proposed Changes to NYDFS Part 500 Cyber Regulation?

One of the most significant changes in the second amendment establishes a new entity classification, Class A companies. Class A companies must meet more stringent requirements than other covered entities. Class A companies are defined as covered entities and their affiliates with $20,000,000 in gross annual revenue in each of the last two fiscal years from business operations in New York and either of the following:

• Over 2,000 employees averaged over the last two fiscal years, including those of both the covered entity and all of its affiliates regardless of location, or
• Over $1,000,000,000 in gross annual revenue in each of the last two fiscal years from all business operations of the covered entity and all of its affiliates.

For the purpose of determining number of employees and gross annual revenue, affiliates include only those that share information systems, cybersecurity resources or all or any part of a cybersecurity program with the covered entity.

Companies large enough to meet this definition are subject to 3 additional requirements that smaller covered entities are not. These include: 

1. An annual independent audit of the cyber program (500.2), 
2. Privileged access management solution and an automated method of blocking commonly used passwords (500.7), and
3. Endpoint detection must be implemented to monitor the network and include centralized logging and security event alerting (500.14).

Governance starts with policies. The original Part 500 includes a comprehensive list of policies that are required. The additional policies in the second amendment require formal documentation of an end of life management, remote access, and vulnerability and patch management policies and procedures. The second amendment also specifies that the policies must be approved annually by the senior governing body. 

Additional policies:

• (h) Security awareness and training
• (o) Vulnerability management 

Updated policies (updated portion bolded):

• (b) data governance, classification and retention
• (c) asset inventory, device management and end of life management
• (d) access controls, including remote access and identity management
• (i) systems and application security and development and quality assurance
• (n) incident response and notification 

In addition to the policies listed in 500.3, policy requirements are highlighted later in the regulation that can be assumed to be covered in the categories listed in 500.3. 

Other policies: 

• Encryption (500.15)

We recommend a detailed review of the entire regulation before creating new policies.

The expansion of governance continues with additional requirements for the CISO, CEO, and Board of Directors. Starting with the CISO, the second amendment requires that the CISO have adequate authority to ensure that cyber risks are appropriately managed, and specifies their ability to direct sufficient resources to establish and maintain a cybersecurity program.

Currently, the CISO is required to report to the Board of Directors annually on the Company’s cybersecurity program and material cybersecurity risks. The second amendment requires additional annual reporting to the Board of Directors on plans for remediating inadequacies, as well as timely reporting on material cybersecurity issues or significant cybersecurity events.

Given enhanced reporting to the Board of Directors, the second amendment specifies that the Board of Directors is required to have sufficient knowledge and expertise of cybersecurity related matters or be advised by such persons, to exercise effective oversight of cybersecurity risk management. 

The second amendment also expands the CEO’s role in security, or the highest ranking executive. The annual certification of compliance is required to be signed by both the CEO and the CISO. 

The certification allows for an acknowledgement of less-than-full compliance, with identification of specific deficiencies. However, Companies must be prepared to provide the NYDFS with documentation of a remediation timeline or confirmation that remediation has been completed.

Both assets and access issues revolve around lack of controls over sensitive data. The asset inventory is one of the more significant updates in the second amendment. Currently, this section only has a requirement for disposal of NPI that is no longer needed for business operations. The amendment requires an asset inventory for all information systems and their supporting components. This includes a variety of items such as hardware, operating systems, applications, infrastructure devices, APIs, and cloud services. Key information must be tracked including the information owner, location, classification, support expiration date, and recovery time objectives.

The second amendment clarifies the definition of privileged access as access that allows a user to perform security-relevant functions that ordinary users are not authorized to perform, including the ability to add, change, or remove other accounts, or make configuration changes.

Privileged accounts, as defined, must be limited to only those necessary to perform the user’s job function and require access to be removed as soon as it is no longer needed. A periodic review of all user access privileges supports this limitation.

The guidance takes security a step further by requiring additional access controls:

• Disable or securely configure the ability to remotely access devices,
• Promptly terminate access following departures,
• If passwords are used as an authentication method, they should be strong and unique, and
• MFA. 

MFA is required for remote access to the Company’s information systems, third party applications that access NPI, and all privileged accounts other than service accounts that prohibit interactive login. However, there is an exception for instances where reasonably equivalent or more secure compensating controls are documented and are approved by the CISO in writing.

Compensating controls must be periodically reviewed based on the Company’s risk assessment but at a minimum annually. 

Incident response and business continuity management include three primary components:

1. Risk identification and assessment,
2. Risk mitigation, and
3. Ongoing monitoring.

The second amendment adds a requirement for IR plans to address ransomware incidents. If a cybersecurity event occurs, the Company is required to prepare a root cause analysis including what will be done to prevent reoccurrence.

BCDR plans are required to designate essential data and personnel, communication plans, back-up facilities, and identifying necessary third parties. Companies are required to document procedures for the maintenance of back-up facilities, systems, and infrastructure as well as alternative staffing.

Companies must maintain backups necessary to restoring material operations that are adequately protected from unauthorized alterations or destruction.

The IR and BCDR plans require testing at least annually with all staff who are critical to the response, including senior officers and the CEO. These plans must be available to all applicable employees and a copy must be available at an offsite location.

The Company is required to provide training to all employees responsible for implementing the plans. The plans also need to be reviewed and updated by all participants.

The initial phase of monitoring includes assessments to monitor potential risk. The second amendment expands the definition of risk assessment to incorporate threat and vulnerability analyses and to consider mitigations provided by security controls that are planned or in place. 

The expanded definition addresses the risk that Companies may conduct a generic risk assessment instead of one tailored to risks identified in their environment. In 2020, EyeMed had conducted a risk assessment, but it was inadequate and did not take into account some obvious risks, such as storing NPI in email accounts. 

In addition, Companies will be required to update the risk assessment at a minimum annually, and when there is a change in the business or technology that causes a material change to cyber risk such as a major system implementation or acquisition. Business and technology changes necessitate IT and the business to be in open discussion.

The second amendment continually refers back to the risk assessment throughout the legislation, highlighting that the risk assessment is at the core of a healthy cybersecurity program. For example, the training section (500.14) notes that cybersecurity awareness must reflect the risks identified in the risk assessment and the testing section (500.5) notes that the frequency and scope of penetration and vulnerability scanning must be based on the risk assessment. 

The noticeable uptick in phishing emails is also addressed. The second amendment requires that emails are monitored and filtered to block malicious content. It also expands annual cybersecurity awareness training to include training on phishing emails and other social engineering methods. Remember, employees represent the greatest security risk to an organization and training represents a simple, yet effective, defense.

In addition to new email controls and employee training; penetration test and vulnerability scan requirements are stronger. The scope of penetration testing expands to include both internal and external scans and must be conducted by a qualified internal or external party. An added benefit of hiring an external party to perform the scans is their independence from the Company. Vulnerability scans must be automated with a manual review of systems not covered by such scans in addition to a process to monitor and remediate vulnerabilities. 

Section 500.17 retains the 72-hour notification rule for a cybersecurity event, and includes two new notification requirements within the 72 hour window:

• Unauthorized access to privileged accounts, and 
• Deployment of ransomware within a material part of the covered entity’s information system.

The 72-hour timeframe also applies to cybersecurity events at affiliates and third party service providers that affect a covered entity. 

After notice of the cybersecurity event, covered entities are required to promptly provide any information requested by the superintendent regarding the event. And, covered entities have a continuing obligation to update and supplement the information provided.

Two additional notification requirements apply to extortion payments related to a cybersecurity event: 

• Notice of the extortion payment within 24 hours, and
• A written description for why the payment was necessary, alternatives that were considered, and sanction diligence conducted within 30 days of the extortion payment.

The annual submission deadline to the superintendent is changed from February 15 to April 15. Submissions that identify areas of improvement must include remediation plans in the submissions.