On November 9, 2022, the New York Department of Financial Services ("NYDFS") announced the publication of the official proposed amendments to its 2017 Cybersecurity Regulation 23 NYCRR 500 ("Proposed Amendments"). This announcement follows a highly active pre-proposal comment period, during which industry stakeholders shared their thoughts with the NYDFS on the changes under consideration, which we covered here for an Overview, here for a Q and A, and during a webcast. The 60-day public comment period to the Proposed Amendments ends on January 9, 2023. In this blog post, we discuss our initial observations on significant changes between the new release and the pre-proposal.

Highlights of what we learned from the revisions:

  • NYDFS took the time to ingest comments and clarify interpretations, so the next round of comments is very important.
  • The Revised Proposal softens the definition of Class A companies.
  • The Revised Proposal softens the prescriptive requirements around key controls, bringing back some of the risk-based elements of the existing Part 500.
  • NYDFS understands that the implementation periods for some technical elements were too aggressive and has softened those requirements.

Revised Definition of Class A Companies and of Other Key Terms

In the pre-proposal, NYDFS created a new category of companies called "Class A" companies. Class A companies were defined as those with over 2,000 employees as part of the covered entity and its affiliates OR those companies with over $1 billion in gross annual revenues averaged over the last three years for the covered entity and affiliates. The Proposed Amendments revised the definition of Class A Companies. The new formulation appears designed to reduce the scope of the Class A Companies.

  • As a threshold, the Covered Entity must have an in-state (New York) gross annual revenue of "at least $20,000,000" "ineach of the last two fiscal years from business operations of the covered entity and its affiliates." This may exclude some international banks with small branches in New York from the Class A definition.
  • If the $20 million revenue in New York threshold is met, then:
    • The Proposed Amendments now clarify that a company would be a Class A if it has 2,000 employees as an average over the last two fiscal years, still accounting for the covered entity and affiliates.
    • Alternatively, a company can be Class A if the global gross annual revenue threshold of $1 billion is met in each of the last two fiscal years, as opposed to being an average of the two.

This revised definition addresses Question 1 from our webcast by clarifying when a small NY branch of a larger overseas company might be considered a Class A Company. In addition, the Proposed Amendments:

  • Remove the possibility that an internal audit can satisfy an "independent audit" by making clear that an audit must be conducted by an external auditor;
  • Carve out "governmental entity" from the definition of a "third party service provider";
  • Change references to the CEO for requirements such as compliance certification to the "highest-ranking executive at the covered entity" which clarifies an ambiguity in the pre-proposal draft that these requirements might adhere to CEO's of parent companies of Covered Entities that themselves did not have CEOs.

Emphasis on Certain Key Cybersecurity Domains

Certain revisions throughout the Proposed Amendments reflect NYDFS's enhanced focus on key cybersecurity domains and industry best practices. For example:

  • Cybersecurity policies and procedures – [500.3] the addition of data "retention," systems and network "monitoring," "security awareness and training," and incident "notification" to the list of areas that must be addressed (to the extent applicable) by the covered entity's cybersecurity policies based on its risk assessment.
  • Incident Investigation – [500.16] the addition of an explicit reference to the investigat[ive] aspects of an incident response plan.
  • Annual Training and Testing of Incident Response Plan – [500.14 & 500.16(d)(1)] the addition of a minimum annual cadence to (1) the training requirement with an explicit reference to social engineering exercises (expansion from just "phishing"); and (2) the testing requirement for incident response plans (the requirement for CEO participation is replaced with that of the "highest-ranking executive" of the Covered Entity).
  • Backups – [500.16(e)] the change of the backup requirement from an actionoriented one (network isolation) to a goal-oriented one (adequate protection from unauthorized alterations or destruction).
  • Remedial Measures – [500.17(b)(1)(ii)(d)] the addition of "remediation plans and timeline for their implementation" as a required element of a covered entity's written annual certification.

Softening of Certain Prescriptive Governance Requirements

The Proposed Amendments remove the CISO independence requirement in the preproposal draft and adjust the mandatory nature of the additional board reporting requirement.

  • The Proposed Amendments require the CISO to have authority and "the ability to direct sufficient resources to implement and maintain a cybersecurity program" but remove the requirement for CISO independence. This appears to be more practical for the purposes of effective program implementation and oversight without getting into locations on an org chart.
  • The Proposed Amendments further amend the CISO's annual reporting to the Board or equivalent. The CISO still needs to consider a number of factors in developing a report, but the report no longer needs to include discussions of each such factor and does not need to include plans for remediating inadequacies.
  • Finally, the Proposed Amendments seem to clarify that the Board's role is to "exercise oversight and provide direction to management on ... cybersecurity risk management." Covered Entities still need to report material issues found in the vulnerability management program to the "senior governing body."

To view the full article, click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.