August 8, 2022
On July 29, 2022, the New York Department of Financial Services (“DFS”) released Draft Amendments to its Part 500 Cybersecurity Rules; the Draft Amendments would update the Cybersecurity Rules in a manner consistent with the “catalytic” role it took in 2017 as the first state to codify certain cybersecurity best practices and guidance into explicit regulatory requirements for covered entities. The cybersecurity landscape has evolved in the past five years, and the Draft Amendments demonstrate that DFS continues to take a forward-leaning role in strengthening cybersecurity practices. The Draft Amendments propose increased expectations for senior leaders, heightened technology requirements, an expanded set of events covered under the mandatory 72-hour notification requirements, a new 24-hour reporting requirement for ransom payments and a 30-day submission of defenses, significant new requirements for business continuity and disaster recovery, and heightened annual certification and assessment requirements. Notably, the amended regulations propose a new class comprising larger entities which will be subject to increased obligations for their cybersecurity programs. Even the definition of a cybersecurity program has been expanded to include coverage of nonpublic information stored on those information systems—a substantial increase in covered information that will have significant downstream effects on reporting and certification requirements. The cybersecurity regulations by DFS were first released in March 2017 and went into full effect in March 2019, as previewed in our prior alert and subsequently discussed in our agency round-ups (2020 & 2021).
Key provisions of the Draft Amendments are highlighted below.
The Draft Amendments establish additional requirements on top of DFS’s existing 72-hour notification requirements, including:
Adhering to the mantra “with great data comes great responsibility,” the Draft Amendments also increase cybersecurity obligations for a newly defined class of larger entities, which are under DFS’s authority. These “Class A” companies are defined as entities with over 2,000 employees or over $1 billion in gross annual revenue average over the last three years from all business operations of the company and its affiliates. Under the Draft Amendments, Class A companies are required to comply with heightened technical requirements as well as risk assessments and audits. They must:
The original Part 500 regulations imposed a number of new obligations on companies’ governing bodies, including the need for a chief information security officer (“CISO”) or equivalent personnel, detailed cybersecurity reporting to the board, and written policies approved by a senior officer. The Draft Amendments enhance in a very meaningful way many of the Part 500 governance requirements, further indicating how important DFS views strong governance in the quest for effective cybersecurity. The Draft Amendments include obligations:
The Draft Amendments also provide an option for covered entities to submit written acknowledgement that, for the prior calendar year, they did not fully comply with their cybersecurity obligations. Covered entities who submit this acknowledgment will be required to identify all the provisions of the compliance rules that were not followed, describe the nature and extent of the noncompliance, and identify all the areas, systems, and processes that require material improvement, updating, or redesign.
These additional reporting requirements are substantial, and would greatly increase the burden on CEOs, CISOs, and other personnel involved in the preparation of these annual certifications or acknowledgements.
The Draft Amendments expand measures directed at “operational resilience” beyond incident response plans, requiring covered entities to also have written plans for business continuity and disaster recovery (“BCDR”). Notably, the original Part 500 cybersecurity regulations were the first of its kind to stipulate detailed requirements for cybersecurity incident response plans. Again, DFS is breaking similar ground with BCDR plans, requiring proactive measures to mitigate disruptive events by, at a minimum:
Furthermore, DFS has proposed a significant revision to its requirements for incident response plans, requiring that they differentiate based on incident type (e.g., ransomware), while continuing to require that such plans address the previously enumerated areas (e.g., internal response processes; incident response plan goals; definitions of clear roles, responsibilities and levels of decision-making authority; communications and information sharing; identification of remediation requirements; documentation and reporting, etc.) as well as the newly added requirement to address recovery from backups.
Under the Draft Amendments, relevant personnel must receive copies of the incident response plan and BCDR plan, copies must be maintained offsite, and all personnel involved in implementation of the plans must receive appropriate training. In addition, covered entities are required to conduct incident response and BCDR exercises.
The Draft Amendments strengthen technical requirements and written policy requirements for covered entities, codifying certain best practices in key cyber risk areas. The Draft Amendments specifically:
The Draft Amendments also contain new measures for asset inventory and management, which may cost companies significant time and resources to implement. These measures require all covered entities to:
The Draft Amendments further require additional written cybersecurity policies to include procedures for end of life management, remote access, and vulnerability and patch management. Notably, despite the prominence of recent supply chain cybersecurity attacks, there are not substantive changes to the Part 500 requirements relating to third-party service providers.
The Draft Amendments further expand the requirements for and definition of “risk assessment” to make clear that they must be:
While DFS has not changed the core cybersecurity functions that must be covered by the risk assessment per se, covered entities will need to ensure that it covers the broadened scope of “cybersecurity program” under the Draft Amendments (nonpublic information stored on the covered entity’s information systems). Furthermore, another substantial proposal is the requirement that covered entities must conduct impact assessments whenever a change in the business or technology causes a material change to the covered entity’s cyber risk.
Finally, the Draft Amendments contain two significant clarifications regarding the enforcement of the Part 500 Cybersecurity Rules:
This report is not an exhaustive list of the changes contained in the Draft Amendments, but it provides a high-level overview of the impact of the Draft Amendments on the Part 500 Cybersecurity Rules, should they be adopted. These recent Draft Amendments will go through a short pre-proposal comments period, which ends on August 18, 2022. After official publication of the proposed amendments, there will be a 60-day comment period. Pending further revisions, most of the amendments would take effect 180 days after adoption, while some requirements—i.e., notification requirements and changes to annual notice of certification—would take effect on an expedited timeframe of 30 days after adoption. Other requirements (e.g., regarding access controls) would take effect a year after adoption.
These amendments signal DFS’s continued focus on ensuring the Part 500 Cybersecurity Rules continue to raise the regulatory bar on covered entities’ cybersecurity programs in an era of a rapidly evolving cyber threat landscape. While many of the Draft Amendments reflect the current state of best practice guidance, covered entities will need to intentionally review the Draft Amendments and ensure they are well-positioned from a governance, technology, and budgetary perspective to ensure compliance.
This alert was prepared by Alexander H. Southwell, Stephenie Gosnell Handler, Terry Wong, and Dustin Stonecipher*.
Gibson Dunn lawyers are available to assist in addressing any questions you may have about these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any member of the firm’s Privacy, Cybersecurity & Data Innovation practice group:
Matthew Benjamin – New York (+1 212-351-4079, email@example.com)
Ryan T. Bergsieker – Denver (+1 303-298-5774, firstname.lastname@example.org)
S. Ashlie Beringer – Co-Chair, PCDI Practice, Palo Alto (+1 650-849-5327, email@example.com)
David P. Burns – Washington, D.C. (+1 202-887-3786, firstname.lastname@example.org)
Cassandra L. Gaedt-Sheckter – Palo Alto (+1 650-849-5203, email@example.com)
Svetlana S. Gans – Washington, D.C. (+1 202-955-8657, firstname.lastname@example.org)
Stephenie Gosnell Handler – Washington, D.C. (+1 202-955-8510, email@example.com)
Nicola T. Hanna – Los Angeles (+1 213-229-7269, firstname.lastname@example.org)
Howard S. Hogan – Washington, D.C. (+1 202-887-3640, email@example.com)
Robert K. Hur – Washington, D.C. (+1 202-887-3674, firstname.lastname@example.org)
Kristin A. Linsley – San Francisco (+1 415-393-8395, email@example.com)
H. Mark Lyon – Palo Alto (+1 650-849-5307, firstname.lastname@example.org)
Vivek Mohan – Palo Alto (+1 650-849-5345, email@example.com)
Karl G. Nelson – Dallas (+1 214-698-3203, firstname.lastname@example.org)
Ashley Rogers – Dallas (+1 214-698-3316, email@example.com)
Alexander H. Southwell – Co-Chair, PCDI Practice, New York (+1 212-351-3981, firstname.lastname@example.org)
Deborah L. Stein – Los Angeles (+1 213-229-7164, email@example.com)
Eric D. Vandevelde – Los Angeles (+1 213-229-7186, firstname.lastname@example.org)
Benjamin B. Wagner – Palo Alto (+1 650-849-5395, email@example.com)
Michael Li-Ming Wong – San Francisco/Palo Alto (+1 415-393-8333/+1 650-849-5393, firstname.lastname@example.org)
Debra Wong Yang – Los Angeles (+1 213-229-7472, email@example.com)
Ahmed Baladi – Co-Chair, PCDI Practice, Paris (+33 (0) 1 56 43 13 00, firstname.lastname@example.org)
James A. Cox – London (+44 (0) 20 7071 4250, email@example.com)
Patrick Doris – London (+44 (0) 20 7071 4276, firstname.lastname@example.org)
Kai Gesing – Munich (+49 89 189 33-180, email@example.com)
Bernard Grinspan – Paris (+33 (0) 1 56 43 13 00, firstname.lastname@example.org)
Penny Madden – London (+44 (0) 20 7071 4226, email@example.com)
Michael Walther – Munich (+49 89 189 33-180, firstname.lastname@example.org)
Vera Lukic – Paris (+33 (0) 1 56 43 13 00, email@example.com)
Kelly Austin – Hong Kong (+852 2214 3788, firstname.lastname@example.org)
Connell O’Neill – Hong Kong (+852 2214 3812, email@example.com)
Jai S. Pathak – Singapore (+65 6507 3683, firstname.lastname@example.org)
* Dustin Stonecipher is an associate working in the firm’s Washington, D.C. office who is admitted only in Maryland.
© 2022 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.