June 30, 2023
Are You Prepared for Proposed Changes to NYDFS Part 500 Cyber Regulation?
Cyber events are occurring every day, laid out in our recent article. One that captured headlines, the EyeMed breach, reached up to a $4.5 million dollar fine.
Nationally, the New York Department of Financial Services (NYDFS) Part 500 Cybersecurity Regulation is a yardstick for cyber regulation across the country. This is evidenced by the NAIC Data Security Model Law (Model Law). The Model Law seeks to establish data security standards for regulators and insurers to mitigate the potential damage of a data breach. The Model Law is a proposed set of guidelines that states can adopt and was created based in part on Part 500.
As of March 2023, the Model Law has been adopted by 21 states and is pending in 3 additional states since it was first created in 2018. The Model Law has made steady progress being adopted throughout the U.S. over the last five years and is expected to continue to grow. It is likely that updates to Part 500 will ripple through other states’ cyber legislation.
In this article we will cover in depth aspects of the proposed revisions to Part 500 including: the definition of a Class A company, additional requirements for Class A companies, and the updates to governance, technology, and monitoring/notification requirements.
Adoption Timeline
An initial draft of the second amendment to Part 500 was published in November 2022. A revised draft incorporating feedback received during the 60-day comment period was published on June 28, 2023 with a shorter 45-day comment period, to allow the revision to become effective by the end of 2023. This article details the latest requirements for the second amendment from the June 28, 2023 draft.
Once the second amendment is effective, covered entities will have 180 days to implement the changes, unless another timeline is specified.
Below are specific timelines included in the second amendment, which will be calculated based on the effective date of the amendment:
- 30 days to implement:
- New notification requirements (500.17)
- One year to implement:
- CISO reporting to the Board of Directors (500.4)
- Data encryption (500.15)
- Incident response and business continuity (500.16)
- Network isolated backups (500.19(a))
- Exemptions 500.19(a)
- 18 months to implement:
- Automated vulnerability scans (500.5(a)(2))
- Access privileges and changes to passwords (500.7)
- Protections against malicious code (500.14(a)(2))
- Endpoint and centralized logging solutions (500.14(b))
- Two years to implement:
- Multi-factor Authentication (MFA) (500.12)
- Asset management and data inventory requirements (500.13(a))
New Type of Entity: Class A (500.1)
The second amendment defines a new type of entity, Class A companies. Class A companies are defined as covered entities and their affiliates with $20,000,000 in gross annual revenue in each of the last two fiscal years from business operations in New York and either of the following:
- Over 2,000 employees averaged over the last two fiscal years, including employees of both the covered entity and all of its affiliates regardless of location, or
- Over $1,000,000,000 in gross annual revenue in each of the last two fiscal years from all business operations of the covered entity and all of its affiliates.
Class A companies must adhere to the following additional requirements:
- Annual independent audit of the cyber program,
- Privileged access management solution and an automated method of blocking commonly used passwords, and
- Monitor the network and include centralized logging and security event alerting through endpoint detection.
New Type of Entity: Class A (500.1)
Detailed Summary
One of the most significant changes in the second amendment establishes a new entity classification, Class A companies. Class A companies must meet more stringent requirements than other covered entities. Class A companies are defined as covered entities and their affiliates with $20,000,000 in gross annual revenue in each of the last two fiscal years from business operations in New York and either of the following:
- Over 2,000 employees averaged over the last two fiscal years, including those of both the covered entity and all of its affiliates regardless of location, or
- Over $1,000,000,000 in gross annual revenue in each of the last two fiscal years from all business operations of the covered entity and all of its affiliates.
For the purpose of determining number of employees and gross annual revenue, affiliates include only those that share information systems, cybersecurity resources or all or any part of a cybersecurity program with the covered entity.
Companies large enough to meet this definition are subject to 3 additional requirements that smaller covered entities are not. These include:
- An annual independent audit of the cyber program (500.2),
- Privileged access management solution and an automated method of blocking commonly used passwords (500.7), and
- Endpoint detection must be implemented to monitor the network and include centralized logging and security event alerting (500.14).
Governance: NYDFS views strong governance as a central aspect of cybersecurity.
The original Part 500 required cybersecurity reporting to the Board of Directors, written policies approved by a Senior Officer, the need for a Chief Information Security Officer (CISO) or equivalent, among other mandates. The second amendment expands on these requirements.
Policies (500.3)
The second amendment requires several new policies that are listed specifically in the policy section (500.3), or inferred from language in other sections.
Additional policies:
- (h) Security awareness and training
- (o) Vulnerability management
Revised policies(updated portion bolded):
- (b) data governance, classification and retention
- (c) asset inventory, device management and end of life management
- (d) access controls, including remote access and identity management
- (i) systems and application security and development and quality assurance)
- (n) incident response and notification
Other policies:
- Encryption (500.15)
Policies (500.3)
Detailed Summary
Governance starts with policies. The original Part 500 includes a comprehensive list of policies that are required. The additional policies in the second amendment require formal documentation of an end of life management, remote access, and vulnerability and patch management policies and procedures. The second amendment also specifies that the policies must be approved annually by the senior governing body.
Additional policies:
- (h) Security awareness and training
- (o) Vulnerability management
Updated policies (updated portion bolded):
- (b) data governance, classification and retention
- (c) asset inventory, device management and end of life management
- (d) access controls, including remote access and identity management
- (i) systems and application security and development and quality assurance
- (n) incident response and notification
In addition to the policies listed in 500.3, policy requirements are highlighted later in the regulation that can be assumed to be covered in the categories listed in 500.3.
Other policies:
- Encryption (500.15)
We recommend a detailed review of the entire regulation before creating new policies.
Oversight & Independence (500.01, 500.4, 500.17(2))
The second amendment ultimately requires the business to take more ownership in the security program. Senior leadership must understand and attest to cyber risks and controls. Additionally:
- The CISO must have adequate authority to ensure that cyber risks are appropriately managed
- Annual reporting on plans to remediate inadequacies to the Board of Directors
- Timely reporting on material cybersecurity issues or significant cybersecurity events
- Annual certification of compliance must now be signed by both the CEO (or highest ranking executive) and the CISO (or senior officer responsible for the cybersecurity program)
Oversight & Independence (500.01, 500.4, 500.17(2))
Detailed Summary
The expansion of governance continues with additional requirements for the CISO, CEO, and Board of Directors. Starting with the CISO, the second amendment requires that the CISO have adequate authority to ensure that cyber risks are appropriately managed, and specifies their ability to direct sufficient resources to establish and maintain a cybersecurity program.
Currently, the CISO is required to report to the Board of Directors annually on the Company’s cybersecurity program and material cybersecurity risks. The second amendment requires additional annual reporting to the Board of Directors on plans for remediating inadequacies, as well as timely reporting on material cybersecurity issues or significant cybersecurity events.
Given enhanced reporting to the Board of Directors, the second amendment specifies that the Board of Directors is required to have sufficient knowledge and expertise of cybersecurity related matters or be advised by such persons, to exercise effective oversight of cybersecurity risk management.
The second amendment also expands the CEO’s role in security, or the highest ranking executive. The annual certification of compliance is required to be signed by both the CEO and the CISO.
The certification allows for an acknowledgement of less-than-full compliance, with identification of specific deficiencies. However, Companies must be prepared to provide the NYDFS with documentation of a remediation timeline or confirmation that remediation has been completed.
Technology: The second amendment requires updates to asset tracking, access requirements, and brings in a new section related to operational resilience.
Technology Assets (500.13) + Access (500.7, 500.12)
New control requirements expect Companies to have a detailed understanding of all their assets and privileged accounts. The additional security requirements around access highlight the breach trends we reviewed in the example headlines. Security requirements include:
- Updates to asset inventory requirements including items and key information that must be tracked and maintained
- Updates to the definition of privileged access
- Limiting access based on job function
- Periodic review of all user access privileges with additional controls for privileged accounts
- Prompt access termination following departures
- Multi-factor Authentication (MFA) requirements for remote access, third party applications that access nonpublic information (NPI), and privileged accounts other than service accounts that prohibit interactive login
Technology Assets (500.13) + Access (500.7, 500.12)
Detailed Summary
Both assets and access issues revolve around lack of controls over sensitive data. The asset inventory is one of the more significant updates in the second amendment. Currently, this section only has a requirement for disposal of NPI that is no longer needed for business operations. The amendment requires an asset inventory for all information systems and their supporting components. This includes a variety of items such as hardware, operating systems, applications, infrastructure devices, APIs, and cloud services. Key information must be tracked including the information owner, location, classification, support expiration date, and recovery time objectives.
The second amendment clarifies the definition of privileged access as access that allows a user to perform security-relevant functions that ordinary users are not authorized to perform, including the ability to add, change, or remove other accounts, or make configuration changes.
Privileged accounts, as defined, must be limited to only those necessary to perform the user’s job function and require access to be removed as soon as it is no longer needed. A periodic review of all user access privileges supports this limitation.
The guidance takes security a step further by requiring additional access controls:
- Disable or securely configure the ability to remotely access devices,
- Promptly terminate access following departures,
- If passwords are used as an authentication method, they should be strong and unique, and
- MFA.
MFA is required for remote access to the Company’s information systems, third party applications that access NPI, and all privileged accounts other than service accounts that prohibit interactive login. However, there is an exception for instances where reasonably equivalent or more secure compensating controls are documented and are approved by the CISO in writing.
Compensating controls must be periodically reviewed based on the Company’s risk assessment but at a minimum annually.
Incident Response and Business Continuity Management (500.16)
Event response requires thorough planning, testing, knowledgeable personnel, and ownership from leadership, to respond and recover timely from a cybersecurity event. Changes in this section include:
- Additional requirements for the Incident Response (IR) and Business Continuity Disaster Recovery (BCDR) plans
- The plans must be updated, tested, and available to all applicable employees
Incident Response and Business Continuity Management (500.16)
Detailed Summary
Incident response and business continuity management include three primary components:
- Risk identification and assessment,
- Risk mitigation, and
- Ongoing monitoring.
The second amendment adds a requirement for IR plans to address ransomware incidents. If a cybersecurity event occurs, the Company is required to prepare a root cause analysis including what will be done to prevent reoccurrence.
BCDR plans are required to designate essential data and personnel, communication plans, back-up facilities, and identifying necessary third parties. Companies are required to document procedures for the maintenance of back-up facilities, systems, and infrastructure as well as alternative staffing.
Companies must maintain backups necessary to restoring material operations that are adequately protected from unauthorized alterations or destruction.
The IR and BCDR plans require testing at least annually with all staff who are critical to the response, including senior officers and the CEO. These plans must be available to all applicable employees and a copy must be available at an offsite location.
The Company is required to provide training to all employees responsible for implementing the plans. The plans also need to be reviewed and updated by all participants.
Monitoring and Notification: The changes to monitoring and notification require a deeper understanding of the Company’s environment and risk assessments.
Monitoring (500.9 + 500.11)
Risks are constantly changing and require monitoring through various assessments to keep Companies up to date. These risks cannot be identified when IT works in a silo and rely on open communication with the business. Changes to monitoring include:
- Expands the definition of risk assessment
- Expands requirements for risk assessment and requires IT and the business to work together for a holistic risk program
Monitoring (500.9 + 500.11)
Detailed Summary
The initial phase of monitoring includes assessments to monitor potential risk. The second amendment expands the definition of risk assessment to incorporate threat and vulnerability analyses and to consider mitigations provided by security controls that are planned or in place.
The expanded definition addresses the risk that Companies may conduct a generic risk assessment instead of one tailored to risks identified in their environment. In 2020, EyeMed had conducted a risk assessment, but it was inadequate and did not take into account some obvious risks, such as storing NPI in email accounts.
In addition, Companies will be required to update the risk assessment at a minimum annually, and when there is a change in the business or technology that causes a material change to cyber risk such as a major system implementation or acquisition. Business and technology changes necessitate IT and the business to be in open discussion.
The second amendment continually refers back to the risk assessment throughout the legislation, highlighting that the risk assessment is at the core of a healthy cybersecurity program. For example, the training section (500.14) notes that cybersecurity awareness must reflect the risks identified in the risk assessment and the testing section (500.5) notes that the frequency and scope of penetration and vulnerability scanning must be based on the risk assessment.
Training (500.14) and Testing (500.5)
The changes in this section close the circle of the testing and remediation lifecycle:
- Additional risk-based controls to protect against malicious code
- Minimum annual cybersecurity awareness training with social engineering
- Annual penetration tests by a qualified internal or external party, periodic vulnerability testing, and ongoing monitoring
- Updates to the scope of penetration and vulnerability scans
Training (500.14) and Testing (500.5)
Detailed Summary
The noticeable uptick in phishing emails is also addressed. The second amendment requires that emails are monitored and filtered to block malicious content. It also expands annual cybersecurity awareness training to include training on phishing emails and other social engineering methods. Remember, employees represent the greatest security risk to an organization and training represents a simple, yet effective, defense.
In addition to new email controls and employee training; penetration test and vulnerability scan requirements are stronger. The scope of penetration testing expands to include both internal and external scans and must be conducted by a qualified internal or external party. An added benefit of hiring an external party to perform the scans is their independence from the Company. Vulnerability scans must be automated with a manual review of systems not covered by such scans in addition to a process to monitor and remediate vulnerabilities.
Notification (500.17 a-b)
The second amendment enhances notification requirements to the superintendent and includes additional notification benchmarks for unauthorized access, ransomware, and extortion.
Notification (500.17 a-b)
Detailed Summary
Section 500.17 retains the 72-hour notification rule for a cybersecurity event, and includes two new notification requirements within the 72 hour window:
- Unauthorized access to privileged accounts, and
- Deployment of ransomware within a material part of the covered entity’s information system.
The 72-hour timeframe also applies to cybersecurity events at affiliates and third party service providers that affect a covered entity.
After notice of the cybersecurity event, covered entities are required to promptly provide any information requested by the superintendent regarding the event. And, covered entities have a continuing obligation to update and supplement the information provided.
Two additional notification requirements apply to extortion payments related to a cybersecurity event:
- Notice of the extortion payment within 24 hours, and
- A written description for why the payment was necessary, alternatives that were considered, and sanction diligence conducted within 30 days of the extortion payment.
The annual submission deadline to the superintendent is changed from February 15 to April 15. Submissions that identify areas of improvement must include remediation plans in the submissions.
Next Steps
What should you and your organization do to prepare for this extensive list of enhanced cybersecurity requirements?
While many of these requirements will likely not be effective during 2023, some of them will take time to implement and document. Identify those areas now and determine if the organization has the resources internally for the task. Johnson Lambert’s advisory and consulting practice can supplement your team and co-develop a plan. We can help you:
- Perform a gap analysis to assess your current cyber program. Johnson Lambert can help engage in conversations with key personnel and stakeholders, review reports and policies, perform a walkthrough of critical cybersecurity processes to assess potential cybersecurity program gaps and meet with management to co-develop risk assessment and recommendations for improvements.
- Create a compliance roadmap. Johnson Lambert can assist with developing a roadmap for next steps to improve the cybersecurity processes and sharing those results with your team.
- Perform testing to validate your cybersecurity program. Johnson Lambert can perform an independent assessment to determine the effectiveness of your program.
To discuss Johnson Lambert’s advisory services and how we can further assist your organization, contact our team.
Disclaimer
The content contained herein is provided solely for educational purposes to Johnson Lambert LLP’s intended audience, and should not be relied upon as accounting, tax, or business advice because it does not take into account any specific organization’s facts and circumstances.