Skip to Main Content

NYDFS Issues Revised Proposed Second Amendment to Its Cybersecurity Regulation

09/11/2023 | 6 minute read

Posted in Data Counsel

The New York State Department of Financial Services (NYDFS) recently published a revised proposed second amendment to its cybersecurity regulation, 23 NYCRR 500. We wrote about the first and second proposed amendments here and here, respectively. Below are some of the key changes in the most recent proposed amendment.

Cybersecurity Governance: CISO and Board Oversight

The most recent proposed amendment seeks to clarify the definition and role of a chief information security officer (CISO) as well as to make clear that the “senior government body” (as opposed to “board of directors or equivalent” in the previous proposed amendment) must have oversight of a covered entity’s cybersecurity program.

    Risk Assessments

    The most recent proposed amendment narrows the definition of risk assessment and removes a requirement that Class A companies use external experts to conduct a risk assessment once every three years.

      Security Controls

      This proposed amendment revised the requirement for Class A companies to implement an automated method of blocking commonly used passwords. Now the amendment only requires this for all accounts on systems owned or controlled by the Class A company and wherever feasible for all other accounts. This change was proposed in response to comments that this requirement, as previously written, might be infeasible for third-party applications and services.

      Revised MFA requirement: The proposed amendment strengthened the multi-factor authentication (MFA) requirement but revised the qualified exemption applicable to some small companies. Under the second proposed amendment, MFA would be required for any individual accessing any of the covered entity’s information systems. For small companies that qualify for an exemption, MFA would be required for: (1) remote access to the covered entity’s information systems; (2) remote access to third-party applications, including but not limited to those that are cloud based, from which nonpublic information is accessible; and (3) all privileged accounts other than service accounts that prohibit interactive login.

        Incident Response and BCDR Plans

            Notice Requirements

            The previous version of the proposed amendment required covered entities to provide the superintendent with any information requested regarding the investigation of a cybersecurity event within 90 days of the notice of the event. In response to commentors expressing concern that this deadline could be difficult to meet, NYDFS dropped the 90-day requirement. This provision now reads: “Each covered entity shall promptly provide any information requested regarding such [reportable cybersecurity] event. Covered entities shall have a continuing obligation to update and supplement the information provided.” §500.17(a)(2).

            The new proposed amendment, like the previous version, requires covered entities to notify the superintendent within 72 hours from a determination that a cybersecurity event in which an unauthorized user has gained access to a privileged account has occurred. In response to comments that the previous definition of privileged account was too broad when read in conjunction with this notification requirement, the new proposed amendment removed from the definition of privileged account an account that can be used to effect a material change to the technical or business operations of the covered entity.

              Under the prior proposed amendment, covered entities were required to submit to the superintendent annually a written acknowledgment that identified all areas, systems and processes that required material improvement, updates, or redesign. Commentors expressed concern that delivering this list to NYDFS would pose a security risk as it would give bad actors a list of prime targets for a cyberattack.  Others commented that this notification requirement was overly burdensome. In response, NYDFS removed this notification requirement in this most recent proposed amendment, which instead requires this information to be available for examination and inspection at the request of NYDFS.

              What’s Next and What You Can Do Now

              NYDFS will review all public comments to the revised second amendment. NYDFS has not announced whether it will propose additional revisions or will finalize the updated regulation, nor has NYDFS announced a timeline for either.

              In the meantime, companies can prepare for the updated regulation now by doing the following:

                  These are all parts of a robust cybersecurity program. Taking action now will place your organization ahead of the game before the amended regulation is final.