The New York Department of Financial Services (“DFS”) has proposed rule changes to increase cyber compliance requirements. DFS has been the leading regulatory force in the cybersecurity industry.
DFS first issued comprehensive cybersecurity rules in March 2017. Many other regulators and international organizations have adopted many of these regulations as best practices for cybersecurity requirements.
The proposed rules would impose some significant requirements, including:
- Expansion of covered companies to designate heightened requirements for entities with over 2000 employees or over $1 billion in gross annual revenue average over the prior 3-year period;
- A new 24-hour reporting requirement for ransom payments after they are made and a requirement that a company submit a written explanation of why they made the payment;
- Adoption of an annual audit requirement;
- Improvement of basic governance requirements; and
- Expansion of risk assessment and incident assessments.
The proposed DFS regulations create a new class of larger companies, “Class A” companies, that will be subject to additional cybersecurity requirements. Class A companies will be required to conduct annual cybersecurity audits each year. In addition, Class A companies will have to conduct weekly, systematic scans or reviews of information systems; document any material gaps found during the review; and report the material gaps to senior management and the board. Finally, Class A companies will be subject to password controls and have to implement endpoint detection and a response solution for monitoring purposes.
With respect to cybersecurity governance, DFS’ original regulations established strong governance as a central aspect of an effective cybersecurity program. The existing regulations require cybersecurity reporting to the board, written policies and procedures have to be reviewed and approved by a senior officer in the company, and the appointment of a Chief information Security Officer.
DFS’ proposed regulations will take governance requirements to a new level to include:
- board members who will ensure that corporate boards have the requisite cyber expertise;
- the CISO has adequate independence and authority;
- the CISO provides the board with an annual reporting plan and the board approves cybersecurity policies each year; and
- expansion of the annual CEO and CISO certification requirements.
With respect to risk assessments, the DFS regulations propose new definitions to confirm that the assessment is updated annually and addresses issues such as staffing, governance, businesses, services, products, operations, customers, counterparties, vendors, and geographic locations. Class A companies must have an external expert conduct a risk assessment every 3 years. As part of the risk assessment process, covered companies would have to conduct impact assessments to address changes in the business that could have a material change to the company’s cyber risks.
On the technology side, the proposed rules expand requirements for privileged accounts, including restricted access, multi-factor authentication and remote control capabilities of devices needed to disable or securely configure the devices. Further, every organization will be required to conduct a complete asset inventory to track information for all hardware, operating systems, applications, infrastructure devices, APIs and cloud services.