Time’s up! New York cyber changes are final

Revisions to the New York State Department of Financial Services (NYSDFS) Part 500 cybersecurity regulation are now final — just in time for 2024 budgets. First proposed in July 2022, the draft underwent several iterations since, notably in November 2022 and June 2023. While some of the more prescriptive elements of the proposed rule have given way to a more flexible, risk-based approach, most of the rule’s revisions remain intact. The final rule retains enhanced requirements for governance, risk assessments, password and data management, as well as the net-new requirements for asset inventory, business continuity and disaster recovery (BCDR), and independent audits.

With this revision, NYSDFS is emphasizing compliance and governance from several angles — from the top down, by requiring CEO and CISO signoff based on data and documentation and a required role for the board; from the bottom up, by setting minimum required frequency for control execution and requiring documentation; and from the side, by injecting the independent audit requirement as an independent check on the program.

CEO, CISO: Document compliance, then certify

As of December 1, 2023, not only must the highest ranking executive (usually, and hereafter, the CEO) now sign off on compliance with the regulation, but this certification must now be based on data and documentation sufficient to accurately determine and demonstrate material compliance (described further below), including any reliance on third parties and affiliates to meet the requirements. Because this change takes effect on December 1, 2023, it will be in place in time to lift the bar for this year’s certification, due for submission by April 15, 2024. Where some firms may have relied on control owner attestation, evidence of control execution would now be expected. If a firm can’t certify its material compliance, it must file a written statement and include timelines for remediation to obtain material compliance.

All revisions to notice requirements, including certification and cybersecurity event reporting (500.17 Notices to the Superintendent), now take effect on December 1, 2023.

Throughout the regulation, the NYSDFS specifies that firms must conduct certain activities at least annually and introduces the requirement that they review and approve compensating controls in writing. The new incident-response and BCDR requirements specify annual testing, and the risk assessment must be executed at least annually with the policies and procedures it drives reviewed and approved at least annually as well. While an annual or more frequent cadence of control execution and program validation is implied by the current annual certification requirement, the NYSDFS is making its views explicit: Certify compensating controls at least annually and back it up with documentation.

The data-and-documentation basis for certification indicates that the regulator has seen shortcomings in firms’ approaches to evidencing compliance. Indeed, many enforcement actions under Part 500 have cited shortcomings in compliance certification (500.17(b) Violations). Requiring CEO certification or, in lieu of that, a written acknowledgement of noncompliance, raises the bar — the CISO may have no qualms signing off on the program based on direct knowledge, but proving the program is compliant to a non-cyber executive may be more difficult. It’s a challenge that firms may need to overcome by year-end. For 2024 and beyond, that same challenge will extend over program elements that aren’t typically under the CISO’s purview, such as technology (patching and asset inventory) and resiliency (BCDR planning, testing and backups).

What’s changed since the June proposal?

The final rule requires Class A companies (large companies, as defined further below, facing the most stringent requirements) to execute independent audits based on their risk assessment, rather than on an annual basis. While the annual requirement is no longer stated, the audit is now linked to the risk assessment, which the revision now requires to be refreshed at least annually.

Independent audit requirement starts April 29, 2024, for large companies. Class A companies must conduct an independent audit of their cybersecurity program meeting NYSDFS rule 500 requirements based on their risk assessment. In the discussion of public comments, the regulator acknowledged that many companies typically conduct multiple independent audits annually of their cybersecurity program capabilities (e.g., incident response, multi-factor authentication (MFA)) based on the risk level each year, and aligned this requirement with the regulation’s overall flexible, risk-based approach. We expect these audits to play two roles, therefore — meeting the new requirements but also informing and supporting the certification process, by supplying an independent, evidence-based view of the cyber program.

With the risk assessment now required at least annually, covered entities should use the assessment to inform their audit plan by focusing not only on traditional cybersecurity capabilities but also technology operations (such as net-new requirements for asset inventory) and operational resilience (such as net-new BCDR planning and testing).

What other changes were adopted?

The final amendments cement stricter requirements for a new category of “Class A companies,” defined as firms $20 million in New York revenue and either 2,000 employees or an average of $1b in gross annual revenues over the past three years. Both definitions include “affiliates,” or firms with common ownership that share information systems, cyber resources or any part of a cybersecurity program with the NYDFS-supervised institutions. This significantly expands the universe of companies deemed Class A. In addition to the independent audit, Class A companies will have to implement:

1. A privileged access management solution,
2. An automated password solution and controls to prevent the usage of common passwords for privileged accounts,
3. An endpoint detection and response system to monitor for anomalous activity, and
4. A centralized method for logging and alerting on security events.

While most of the substantive changes won’t become effective for 180 days, or by April 29, 2024, the timing raises the bar on compliance evidence almost immediately. The longer transition periods reflect an acknowledgement that the revision’s core requirements may pose significant challenges to firms.

• Within one year — November 1, 2024. Requirements for ad hoc CISO reporting to the board (500.4) and data encryption (500.15) take effect. The new requirements for incident response and disaster recovery, including testing and ability to restore from backups (500.16), also apply at the one-year mark. With these net-new requirements now in effect for the 2024 certification, due for submission by April 15, 2025, we would expect the CISO and CEO to pay close attention to an independent audit of these areas.
• Within 18 months — April 30, 2025. Multiple technical safeguards are required:
  • Automated and manual vulnerability management capabilities and processes that adhere to risk assessment results (500.5(a)(2))
  • Privileged access management and password management capabilities and processes prioritizing password security and system access control (500.7)
  • Risk-focused capabilities (both preventive and detective) and processes enhancing password security and system access control (500.14(a)(2))
  • Endpoint detection and response, and centralized logging and security event alerting capabilities and processes to enable monitoring of critical events (500.14(b))
  “Full” compliance is now “material” compliance

  The newly effective version requires the ability to certify for “material” compliance. The regulator has left it up to each covered entity to define and establish criteria for material compliance, previously noting that materiality will vary for each covered entity and will depend on their specific circumstances. Material compliance is also referenced within 500.20(b) in communicating criteria for citing violations that can lead to fines and other penalties.

  

  

  What you need to do

  The waiting is over. Now’s the time to take action.
  

  • Define “material.” Because the regulation now requires material compliance, and several sections refer to materiality thresholds, it’s essential to establish well-documented criteria for assessing materiality. It’s important to note, materiality will apply at the level of the covered entity, and if there are multiple covered entities as part of a larger group structure, what’s material for one may not be material for another. Also, what’s material for a covered entity may or may not be material from an enterprise perspective, or at the level of an SEC registrant. Clearly documenting criteria and decision making will facilitate the evaluation and documentation of compliance, especially when examiners raise questions.
  • Enhance cybersecurity incident notification and related follow-up processes. Communications supporting material cybersecurity incidents within the organization, its affiliates or third-party service providers to the regulator must support compliance by December 1, 2023 (see 500.17(a) and 500.17(c)). Also see ‘Navigate competing SEC disclosure obligations’ below.
  • Enhance compliance evidence for CEO sign-off. This change is effective for the 2023 certification, due for submission by April 15, 2024 (see 500.17(b)). The requirement that the CEO cosign with the CISO and that certification be based on data and documentation sufficient to demonstrate “material” compliance will require a move away from control owner attestation and toward collecting evidence of control execution and effectiveness. Some firms may be able to present a single package of documentation demonstrating how each requirement is met, with mapping to policies, procedures, controls and control execution or testing evidence. Others should identify this as their target state. Because firms must certify based on this evidence, gaps in the ability to do so may now open those who can’t to regulatory sanction, fines and other penalties.
  • Identify areas that require immediate attention. The process of conducting a full inventory of assets to meet the updated requirements may be time-consuming, yet this inventory is indispensable for shaping the risk assessment underpinning your entire cybersecurity program. For many organizations, creating and maintaining a thorough asset inventory can present significant challenges, making it the likely bottleneck despite the two-year window for completion.
  • Identify stakeholders, critical paths and necessary staging. Stakeholders encompass staff, senior management, the board, and customers who may be impacted by the heightened security requirements for accessing their accounts. Some changes may be straightforward, such as administrative adjustments to incident-reporting protocols, while others — like endpoint detection for Class A companies, the asset inventory, and BCDR testing — will necessitate broader involvement from stakeholders across the organization. With certification now including domains outside the typical CISO responsibility, such as asset inventories and continuity testing, an independent audit that includes them will be important in supporting both CISO and CEO certification. It will be necessary to align CISO, technology and resiliency organizations with independent audit around capability requirements, control design and execution expectations and what constitutes evidence sufficient to support certification.
  • Budget for the changes. With corporate budgeting for the coming year firmly underway, firms should begin planning for any necessary technology improvements. The two years to meet the asset inventory and MFA requirements will pass quickly, and the NYSDFS has shown that it’s an aggressive enforcer. For larger firms, start analyzing whether the Class A designation applies. All firms should set aside resources for compliance planning and preparations in this budgeting cycle. For example, the elimination of text messages as a permissible component of an MFA solution and the requirement that the CISO review and approve at least annually in writing any compensating controls may require enhancing your MFA approach and related technologies. Applying and periodically reviewing the principle of least privilege and privilege account management may be a heavy lift, depending on your firm’s size and complexity.
  • Assess your current pace of testing, control execution, control testing and evidence collection. It may be necessary to expedite testing processes to meet deadlines, alongside the implementation of readiness and business continuity plans. Confirming you have the right talent in all three lines of defense is crucial, particularly in the context of a competitive and challenging job market. Comprehensive documentation of control execution evidence, as well as evidence from second- and third-line (i.e., independent) testing, is indispensable to support the annual certification process.
    
  • Confront your technology debt before it comes due. For some covered entities, the required changes may prompt discussions around broader technology uplift. The asset management policy must be enhanced to speak to end-of-life management by April 29, 2024; encryption must be expanded by November 1, 2024; and MFA expanded and the asset inventory completed by November 1, 2025. At this point, it may become apparent that certain legacy assets, which may be beyond end of support life, are incapable of supporting encryption or MFA — in contrast to what the asset management policy requires. Add in the independent audit requirement, which may well examine one of more of these program elements, and organizations that have put off upgrades may find themselves confronting that deferred technology investment.
    
  • Navigate competing SEC disclosure obligations. For publicly listed financial services firms subject to the SEC’s recent cybersecurity disclosure rule published in July and effective as of September, the NYDFS requirements may pose coordination challenges. Both require incident reporting, but the scope and materiality definitions may differ. For example, the NYSDFS rule applies to the covered entity, which may be one of several subsidiaries of a parent company subject to the SEC rule. However, there are also synergies, such as the mutual emphasis on board oversight, raising the stakes for board members to increase their education around the cybersecurity threat environment in order to effectively challenge management.