[author: Benjamin Kalman]

Proposed Amendments to 23 NYCRR Part 500  

If you are the chief information security officer (“CISO”) of a fintech company operating in New York, you may already be aware that, on November 9, 2022, the New York State Department of Financial Services (“DFS”) proposed a second amendment to 23 NYCRR Part 500 (the “DFS Cybersecurity Regulation”). While many of the requirements included in the original 2017 DFS Cybersecurity Regulation remain, the proposed amendments impose heightened requirements for companies covered by the regulation.

Here are some important takeaways on the proposed amendments for fintech companies (and tech companies generally):

• Covered Entities. The definition of “covered entity” remains largely the same under the proposed amendments. A fintech company will be considered a “covered entity” for purposes of 23 NYCRR Part 500 if it is subject to licensing, registration, or other requirements under New York State’s Banking Law, Insurance Law, or Financial Services Law. While a comprehensive review of such requirements is outside the scope of this blog post, note that all companies (with some enumerated exceptions) engaged in the “business of selling or issuing checks” and the “business of receiving money for transmission or transmitting the same” (READ: money transmitters) must be licensed pursuant to § 641(1) of the Banking Law, and thus may be considered a “covered entity” for purposes of the DFS Cybersecurity Regulation.
• Class A Companies. The proposed amendments introduce a new class of regulated entity: “Class A companies”. Class A companies are defined as covered entities with at least $20 million in gross annual revenue (across all affiliate entities) in New York State in each of the last two fiscal years, and either (1) 2,000 employees (across all affiliate entities, regardless of location), or (2) over $1 billion in gross annual revenue (again, across all affiliate entities) in each of the last two fiscal years. If adopted in its current form, the proposed amendments will add the following heightened requirements for Class A companies (among others):
  • Conducting an independent audit of the company’s cybersecurity programs at least annually;
  • Implementing an automated method of blocking commonly used passwords for all user accounts;
  • Engaging external experts to conduct risk assessments at least once every three years;
  • Implementing an endpoint detection and response solution to monitor anomalous activity, along with a solution that centralizes logging and security event alerting.

What Can You Do?

For all covered entities (including the newly-defined “Class A companies”), compliance with the proposed amendments will require a comprehensive review (and potential overhaul) of existing cybersecurity policies. However, in preparing for the proposed amendments to take effect (which could occur at any time in 2023), below are some preliminary steps to take and important timelines to keep in mind:

• Effective Immediately
  • Annual Certification. A number of provisions will take immediate effect following the effective date of the proposed second amendment (“Effective Date”). One such provision requires that covered entities prepare and submit to DFS a “certification of compliance” either (i) confirming that the covered entity complied with the regulation, or (ii) acknowledging that the entity did not comply, identifying areas of noncompliance, identifying all areas, systems and processes requiring material improvement, and providing plans for remediation. This certification must be signed by the covered entity’s “highest-ranking executive” and its CISO (or the senior officer responsible for the covered entity’s cybersecurity program in absence of a CISO).

• Thirty Days
  • Within thirty days of the Effective Date, covered entities will need to ensure that cybersecurity policies reflect the following:
    • Ransomware. In the event that a ransom payment is made in response to a ransomware attack, covered entities will need to:
      • 1) Notify DFS within 24 hours of the payment; and
      • 2) Provide DFS within 30 days of the payment with a written statement explaining why payment was made (in addition to other points).
    • Notice of Cybersecurity Attack. The proposed amendments retain the requirement to notify DFS within 72 hours of a cybersecurity event; however, the proposed amendments expand the list of types of cybersecurity events subject to this notice requirement and add in that covered entities must further:
      • Provide any information “regarding the investigation of the cybersecurity event” requested by DFS within 90 days of a cybersecurity event; and
      • Notify DFS within 72 hours of a cybersecurity event at a third party service provider.

• One Year
  • Backups. Within one year of the Effective Date, covered entities will need to maintain backups that are adequately protected from unauthorized alterations or destructions.

• Eighteen Months
  • Within eighteen months of the Effective Date, covered entities’ cybersecurity policies will need to include the following policies and procedures:
    • Scans. Moving forward, covered entities will need to conduct annual automated scans of information systems (and manually review systems not covered by automated scans) to analyze and report on vulnerabilities.
    • Password Policy. Covered entities will need to implement written password protection policies that meet “industry standards”. As noted above, Class A companies will have additional and heightened requirements.
    • Multi-Factor Authentication (“MFA”). Covered entities will need to use MFA for (1) remote access to information systems, (2) remote access to third-party applications (including cloud-based applications), and (3) all privileged accounts.
    • Malicious Code Protection. Covered entities will need to implement controls that protect against malicious code (including monitoring and filtering web traffic and emails).

• Two Years
  • Asset Inventory. Within two years of the Effective Date, covered entities must implement written policies and procedures designed to “ensure a complete, accurate and documented asset inventory”.

• All other provisions will become effective 180 days after the Effective Date (unless otherwise noted in the text of the proposed amendments.

As noted above, this information should be viewed as a starting point and not as an exhaustive list of measures that need to be taken once the proposed amendments become effective. Companies must thoroughly review the proposed amendments to understand all updated obligations. This is especially pertinent given the updates to the enforcement-related provisions of the proposed amendments, which provide that failure to satisfy obligations required under the regulation for as few as 24 hours may result in DFS assessing a penalty.