Skip to content

NYDFS Proposed Amendments to the Half 500 Cybersecurity Rule

On November 9, 2022, the New York Division of Monetary Providers (NYDFS) launched its second, proposed amendments to the Half 500 Cybersecurity Rule. The proposed amendments evaluation a number of facets of the draft Cybersecurity Rule amendments launched on July 29, 2022. These modifications mirror a number of feedback made in response to the draft Cybersecurity Rule to additional make clear, strengthen and make clear varied necessities, as highlighted beneath.

The next are a number of the key modifications within the proposed amendments:

Notification Requirement

The proposed amendments present three new cybersecurity occasions that Lined Entities should report back to NYDFS by way of the NYDFS on-line cybersecurity portal inside 72 hours:

Moreover, Lined Entities should present NYDFS with any extra info requested by NYDFS associated to the investigation of a cybersecurity occasion inside 90 days of discover. The Lined Entity should additionally present steady updates and any supplementary info associated to the investigation.

The proposed amendments present a brand new notification requirement for ransomware funds. If a Lined Entity makes a ransomware fee, the Lined Entity is required to inform NYDFS inside 24 hours of fee. When notifying NYDFS, a Lined Entity who makes a ransomware fee should additionally present a written description of the fee inside 30 days, describing why fee was mandatory, what options had been accessible and all associated diligence carried out to make sure compliance with any relevant legal guidelines and rules.

Revised Definition of Class A Firms

The proposed amendments now outline Class A firms as Lined Entities with not less than $20 billion in gross annual income in-state in every of the previous two fiscal years from enterprise operations of the Lined Entity and its associates, and both: (1) possess greater than 2,000 workers over the previous two fiscal years, no matter location, together with these of each the Lined Entity and all of its associates, or (2) possess greater than $1 billion in gross annual income in every of the previous two fiscal years from all enterprise operations of the Lined Entity and all of its associates. A Lined Entity who qualifies as a Class An organization may even be topic to a number of extra compliance necessities underneath the proposed amendments, together with an impartial audit of not less than yearly by exterior auditor, using exterior consultants to conduct danger assessments not less than as soon as each three years and implementation of an endpoint detection and response answer.

Penetration Testing, Vulnerability Assessments and Threat Assessments

The proposed amendments make vital modifications to the technical necessities of the Cybersecurity Rule. A few of these modifications embrace:

  • Lined Entities should conduct penetration testing of their methods, internally and externally, by a certified inside or exterior impartial social gathering not less than yearly.

  • Lined Entities will need to have a monitoring course of that ensures immediate notification of any new safety vulnerabilities.

  • Lined Entities should possess written insurance policies and procedures for vulnerability administration, mandate automated scans of methods and manually evaluation methods not lined by these scans as ceaselessly as decided by the chance evaluation or promptly after any main system modifications.

  • Lined Entities should evaluation and replace their danger assessments not less than yearly, and each time a big change in enterprise or expertise causes a cloth change to their cyber danger.

Cybersecurity Plan

The proposed amendments now require a Lined Entity to deal with new points of their cybersecurity plans, together with information retention, finish of life administration, distant entry controls, methods monitoring, safety consciousness and coaching, software safety, incident notification and vulnerability administration.

The proposed amendments additionally require a Lined Entity to restrict the variety of accounts, entry capabilities and precise use primarily based on what is important for a person to carry out their job. This features a requirement {that a} Lined Entity periodically, or not less than yearly, evaluation all person entry privileges and take away or disable accounts which might be not mandatory (ie, immediate termination of methods entry following an worker’s departure).

The proposed amendments present a brand new certification requirement that requires a Lined Entity to have their highest-ranking govt and CISO (or senior cybersecurity officer) signal an annual certification of compliance to NYDFS Half 500.

Incident Response and Enterprise Continuity and Catastrophe Restoration Plan

The proposed amendments now require a Lined Entity to offer related coaching on its incident response plan and its enterprise continuity and catastrophe restoration plan to all workers essential to implement such plans. These plans should be examined not less than yearly, and should be distributed and accessible to related workers.

Multifactor Authentication

The proposed amendments require a Lined Entity to make use of multifactor authentication (MFA) for all distant entry to methods, third-party functions and all privileged accounts. Alternatively, the CISO can approve using fairly equal or extra secured controls to exchange MFA, in writing, which should be reviewed periodically and not less than yearly by the CISO.

Cybersecurity Governance

The proposed amendments require a senior governing physique to approve a Lined Entity’s cybersecurity insurance policies and procedures for the safety of its methods and nonpublic info saved in methods, not less than yearly.

The proposed amendments additionally present a number of necessities for CISOs, and supply them with the satisfactory authority to “guarantee cybersecurity dangers are appropriately managed.” A few of these necessities embrace well timed reporting to the senior governing physique concerning materials cybersecurity points (ie, main cybersecurity occasions or updates concerning danger assessments) and reporting plans of remediation to deal with materials inadequacies.

The proposed amendments additionally require a Lined Entity’s board of administrators or equal (ie, an applicable committee of the board) to train oversight of cybersecurity danger administration, together with growing, implementing and sustaining cybersecurity packages. The board of administrators or equal should possess ample experience or information, or be suggested by individuals with ample experience or information, to train oversight of cybersecurity danger administration.

The 60-day public remark interval to the proposed amendments ends on January 9, 2023, and members of the general public are invited to submit feedback right here.

Copyright © 2022, Hunton Andrews Kurth LLP. All Rights Reserved.Nationwide Legislation Evaluation, Quantity XII, Quantity 327

Leave a Reply

Your email address will not be published. Required fields are marked *