The New York Department of Financial Services (“NYDFS”) recently proposed draft amendments to its cybersecurity regulations that would expand the requirements of covered entities in relation to cybersecurity events. The proposals include a tightening of some existing requirements and additional duties on top of those, a new class of company to which even further requirements would apply, and the amendments also include three changes related to ransomware attacks: inclusion of a ransomware attack as a cybersecurity event, requiring notice to the NYDFS within 24 hours of making a payment as a response to a ransomware attack and to require entities to provide a rationale statement to the NYDFS as to why such a payment was required.
In response to any ransomware attack on a covered entity, the entity would be required to notify the NYDFS within 24 hours of making a ransomware payment and meet a 30-day requirement to provide a written defense as to why a payment was made, what alternatives were considered and what review was conducted to ensure no payments were made to any sanctioned persons.
The amendments would create a new “Class A” defined group of companies, for organizations with over 2,000 employees or over $1 billion in gross annual revenue over the last three years. These companies would be required to comply with additional technical requirements which would not apply to other covered entities, as well as being required to conduct additional risk assessments and audits. These companies would need to conduct weekly reviews to detect vulnerabilities, an annual audit of their cybersecurity program and an expert risk assessment every three years.
The proposals would enhance the requirements for the governing bodies of organizations subject to the cybersecurity regulation, including that the members of the bodies themselves have sufficient expertise and knowledge for effective oversight of cybersecurity risks, or be advised by such experts. The Chief Information Security Officer that was originally a requirement of the cybersecurity regulation would be required to provide annual reporting on remediation of cybersecurity risks, obtain annual approval of cybersecurity policies and provide enhanced annual certifications of the entities compliance with the cybersecurity regulation.
While the original cybersecurity regulation required development of cybersecurity incident response plans, the new amendments would also require written business continuity and disaster recovery plans, as well as new policy requirements for handling of special types of accounts called “privileged accounts” that are used to perform activities related to cybersecurity.
The draft amendments were published July 29, 2022, with a comment period to expire on August 8, 2022. The amendments will be officially be published as proposed amendments after the end of the draft comment period.
