November 15, 2022
On November 9, 2022, the New York Department of Financial Services (“DFS”) announced proposed amendments (“Proposed Amendments”) to DFS’ Part 500 Cybersecurity Rules (the “Cybersecurity Rules”). The Proposed Amendments reflect a revised set of amendments based on the draft Part 500 amendments released on July 29, 2022 (“Draft Amendments”). The initial Draft Amendments were covered in our prior alert. The Proposed Amendments continue to reinforce DFS’ forward-leaning, “catalytic” role in strengthening cybersecurity practices, but reflect that DFS did consider the comments received in response to the Draft Amendments as they clarify certain security requirements, strengthen some requirements to protect consumers and covered entities, and soften others to make them more closely aligned with industry standards and better account for public concerns.
We highlight seven key takeaways of the Proposed Amendments:
We discuss each in turn below.
The Draft Amendments previously proposed new, more stringent, cybersecurity event notification obligations, including:
The Proposed Amendments maintain these tight timetables, as well as add other obligations for incident notification, which reinforces DFS’ desire to be promptly kept informed about cybersecurity events at covered entities. These additional obligations include:
The Draft Amendments increased cybersecurity obligations for a newly defined group of larger DFS covered entities, termed “Class A companies.” Although some requirements were removed or altered under the Proposed Amendments, the heightened requirements on this class of covered entities under the Draft Amendments included to:
After considering public comments, DFS modified its proposed scope for the new category of “Class A companies,” likely reducing the number of covered entities that would fall within this definition. The new definition for Class A companies under the Proposed Amendments include covered entities with:
While this is a broad definition that will still cover a large number of entities, it is a material narrowing of the Draft Amendments, which would have covered any entity with over 2,000 employees or companies with a three-year average of over $1 billion in gross annual revenue. Notably, the changes in the Proposed Amendments may result in excluding from the Class A definition certain covered entities that have a small presence in New York, and also shifts the Draft Amendments’ focus on gross annual revenues averaged over three years.
Under the Draft Amendments, Class A companies were required to conduct weekly systematic scans or reviews with respect to vulnerability assessments. The Proposed Amendments remove this requirement, instead requiring covered entities more broadly to have a monitoring process that ensures prompt notification of any new security vulnerabilities. The Proposed Amendments also revise certain technical and audit requirements included in the Draft Amendments for Class A companies, requiring:
Under the Proposed Amendments, DFS re-commits to its focus on the accountability of boards and senior management, but softens and removes some of the previously proposed obligations. These revised obligations:
These changes in the Proposed Amendments help clarify some ambiguities. For example, changing the obligation for signing certifications or acknowledgements of noncompliance to the CISO and the “highest-ranking executive” clarifies that all companies, even those without a CEO, are required to have and sign annual certifications or acknowledgements of noncompliance.
The Draft Amendments expanded measures requiring covered entities to have written plans for business continuity and disaster recovery (“BCDR”), including requiring certain measures to mitigate disruptive events. DFS also increased its requirements for incident response plans (“IRPs”) in the Draft Amendments, requiring certain additional content requirements for IRPs, such as clearly defined roles. These requirements for BCDR and IRPs have remained largely the same in the Proposed Amendments, with a few practical changes. Specifically, the Proposed Amendments:
Practically implemented, there may not be a significant difference concerning the changes to distribution of the IRPs and BCDR plans, as the Proposed Amendments require that the plans be accessible during a cybersecurity event, but the revised requirement will afford more flexibility for covered entities to develop an approach most effective for them. Further, in the Proposed Amendments, training is still required for personnel involved in implementing the plans, as are incident response and BCDR exercises, which are required at least annually. However, the changes to the requirement concerning backups is a significant technical change that will reduce the burden of compliance for many covered entities who do not have backups fully isolated from network connections.
The Proposed Amendments make significant changes to the strengthened technical and written policy requirements proposed by the Draft Amendments. Changes to technical requirements—focused on penetration testing, vulnerability management, and access controls—include:
Many of these revisions, such as allowing the CISO to approve reasonably equivalent controls to replace multi-factor authentication, provide covered entities with more flexibility in achieving compliance with these regulations.
Amendments focused on covered entities’ written policies include:
These measures provide important clarification for covered entities. Certain measures, such as allowing for a written password policy that meets industry standards, also demonstrate DFS’ consideration of industry best practices in revising these regulations.
The Draft Amendments expanded the requirements for and definition of “risk assessments.” These changes have been maintained in the Proposed Amendments. The Draft Amendments required that covered entities review and update risk assessments annually and conduct impact assessments whenever a change in the business or technology causes a material change to the covered entity’s cyber risk. The requirement for impact assessments has since been removed, so covered entities now only have to review and update risk assessments annually and whenever such a change in business or technology occurs.
The Proposed Amendments also add a requirement that covered entities’ written policies and procedures for vulnerability management mandate automated scans of information systems and a manual review of systems not covered by such scans to identify vulnerabilities. The frequency of these scans and reviews is to be determined by the risk assessment and where there are any major system changes.
The Draft Amendments contained two significant provisions regarding the enforcement of the Cybersecurity Rules, specifically that:
The Proposed Amendments do not materially change these requirements.
Next Steps
The Proposed Amendments illustrate DFS’ stated commitment to ensuring the Cybersecurity Rules continue to “keep[] pace with new threats and technology purpose-built to steal data or inflict harm,” as Superintendent Adrienne Harris stated in announcing the Proposed Amendments. The publication of the Proposed Amendments triggered a 60-day comment period that will end on January 9, 2023. Covered entities who have views on the proposed changes to the DFS Cybersecurity Rules should consider submitting comments. The Proposed Amendments demonstrate that DFS took into account prior comments as part of their “data-driven approach to amending the regulation to ensure that regulated entities address new and increasing cybersecurity threats with the most effective controls and best practices to protect consumers and businesses.” Following this comment period, DFS will review submitted comments and decide whether to re-propose revised amendments or adopt the Proposed Amendments as final regulations.
Covered entities should assess their cybersecurity practices to ensure they have adequate controls in place to comply with these anticipated regulatory changes. We are available to assist in those efforts and will continue to monitor and report on developments during and after the comment period.
This alert was prepared by Alexander Southwell, Stephenie Gosnell Handler, Vivek Mohan, Amanda Aycock, Snezhana Stadnik Tapia, Terry Wong, and Ruby Lang.
Gibson Dunn lawyers are available to assist in addressing any questions you may have about these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any member of the firm’s Privacy, Cybersecurity & Data Innovation practice group:
United States
Matthew Benjamin – New York (+1 212-351-4079, mbenjamin@gibsondunn.com)
Ryan T. Bergsieker – Denver (+1 303-298-5774, rbergsieker@gibsondunn.com)
S. Ashlie Beringer – Co-Chair, PCDI Practice, Palo Alto (+1 650-849-5327, aberinger@gibsondunn.com)
David P. Burns – Washington, D.C. (+1 202-887-3786, dburns@gibsondunn.com)
Gustav W. Eyler – Washington, D.C. (+1 202-955-8610, geyler@gibsondunn.com)
Cassandra L. Gaedt-Sheckter – Palo Alto (+1 650-849-5203, cgaedt-sheckter@gibsondunn.com)
Svetlana S. Gans – Washington, D.C. (+1 202-955-8657, sgans@gibsondunn.com)
Lauren R. Goldman– New York (+1 212-351-2375, lgoldman@gibsondunn.com)
Stephenie Gosnell Handler – Washington, D.C. (+1 202-955-8510, shandler@gibsondunn.com)
Nicola T. Hanna – Los Angeles (+1 213-229-7269, nhanna@gibsondunn.com)
Howard S. Hogan – Washington, D.C. (+1 202-887-3640, hhogan@gibsondunn.com)
Robert K. Hur – Washington, D.C. (+1 202-887-3674, rhur@gibsondunn.com)
Kristin A. Linsley – San Francisco (+1 415-393-8395, klinsley@gibsondunn.com)
H. Mark Lyon – Palo Alto (+1 650-849-5307, mlyon@gibsondunn.com)
Vivek Mohan – Palo Alto (+1 650-849-5345, vmohan@gibsondunn.com)
Karl G. Nelson – Dallas (+1 214-698-3203, knelson@gibsondunn.com)
Rosemarie T. Ring – San Francisco (+1 415-393-8247, rring@gibsondunn.com)
Ashley Rogers – Dallas (+1 214-698-3316, arogers@gibsondunn.com)
Alexander H. Southwell – Co-Chair, PCDI Practice, New York (+1 212-351-3981, asouthwell@gibsondunn.com)
Deborah L. Stein – Los Angeles (+1 213-229-7164, dstein@gibsondunn.com)
Eric D. Vandevelde – Los Angeles (+1 213-229-7186, evandevelde@gibsondunn.com)
Benjamin B. Wagner – Palo Alto (+1 650-849-5395, bwagner@gibsondunn.com)
Michael Li-Ming Wong – San Francisco/Palo Alto (+1 415-393-8333/+1 650-849-5393, mwong@gibsondunn.com)
Debra Wong Yang – Los Angeles (+1 213-229-7472, dwongyang@gibsondunn.com)
Europe
Ahmed Baladi – Co-Chair, PCDI Practice, Paris (+33 (0) 1 56 43 13 00, abaladi@gibsondunn.com)
James A. Cox – London (+44 (0) 20 7071 4250, jacox@gibsondunn.com)
Patrick Doris – London (+44 (0) 20 7071 4276, pdoris@gibsondunn.com)
Kai Gesing – Munich (+49 89 189 33-180, kgesing@gibsondunn.com)
Bernard Grinspan – Paris (+33 (0) 1 56 43 13 00, bgrinspan@gibsondunn.com)
Joel Harrison – London (+44(0) 20 7071 4289, jharrison@gibsondunn.com)
Vera Lukic – Paris (+33 (0) 1 56 43 13 00, vlukic@gibsondunn.com)
Penny Madden – London (+44 (0) 20 7071 4226, pmadden@gibsondunn.com)
Michael Walther – Munich (+49 89 189 33-180, mwalther@gibsondunn.com)
Asia
Kelly Austin – Hong Kong (+852 2214 3788, kaustin@gibsondunn.com)
Connell O’Neill – Hong Kong (+852 2214 3812, coneill@gibsondunn.com)
Jai S. Pathak – Singapore (+65 6507 3683, jpathak@gibsondunn.com)
© 2022 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.