On November 1, 2023, Governor Kathy Hochul announced that the New York State Department of Financial Services (“NYSDFS”) amended its Part 500 Cybersecurity Regulations for state-licensed financial institutions.1 The amendments reflect the first significant change to the Cybersecurity Regulations since their inception in 2017 and incorporate new information security compliance obligations for regulated entities—institutions operating under or required to obtain a license or similar authorization under New York’s insurance law, banking law, or financial services law.2 The Cybersecurity Regulations accordingly apply to health insurance companies operating in New York, as well as entities that sell annuities or other insurance products if such institutions receive a license from NYSDFS.
Perhaps most notably, the amendments expand on NYSDFS’s 72-hour cybersecurity event reporting obligation and incorporate new 24-hour reporting requirements for regulated entities that make extortion payments. In addition, all regulated entities will need to comply with new cybersecurity governance obligations and additional cybersecurity measures and controls. Further, so-called large “Class A” entities must also prepare for heightened data protection requirements, such as independent audits, as discussed in more detail below.
Background
Through its 2017 regulations, which fully came into effect in February 2018, NYSDFS has asserted a leading role among regulators of cybersecurity. The Cybersecurity Regulations—some of the most detailed cyber requirements in the U.S. to date—aim to protect a regulated entity’s information systems and residing nonpublic information (“NPI”) based on that entity’s unique cyber risk profile. At a high level, NPI includes nonpublic electronic data that is (1) business-related information that, if improperly disclosed, could cause a material adverse impact on security, (2) information concerning an individual that because of name, number, personal mark, or other identifier can be used to identify the individual, in combination with another data element (e.g., social security number), or (3) certain health information.3
Draft amendments to the Cybersecurity Regulations were first published in July 2022 and finalized after various rounds of public comment. The amendments go into effect on December 1, 2023, though regulated entities have 180 days from the date of adoption to comply with most provisions, or until April 29, 2024.4 NYSDFS also sets forth longer compliance periods for other requirements and extends some deadlines for small businesses, which constitute entities with fewer than 20 employees, less than $7.5 million in gross annual revenue in each of the past three years or less than $15 million in year-end total assets.5
The Cybersecurity Regulations bear some similarities to health care data security regulations under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), though Part 500 is ultimately more prescriptive.
Notification to NYSDFS Regarding Cybersecurity Events and Extortion Payments
72-Hour Notification Requirement for Certain Cybersecurity Events. Starting December 1, 2023, all regulated entities must notify NYSDFS within 72 hours of any cybersecurity event that has occurred at the entity, its affiliates, or a third-party service provider that either (1) impacts the entity and gives rise to an obligation to notify any government body, self-regulatory agency or other supervisory body; (2) has a reasonable likelihood of materially harming any material part of normal operations; or (3) results in the deployment of ransomware within a material part of the entity’s information systems.6 Regulated entities will be required to “promptly provide” any information requested by NYSDFS regarding the event and will remain under a continuing obligation to update the regulator regarding material changes or new information previously unavailable.7
24-Hour Notification Requirement for Extortion Payments. Additionally, regulated entities must notify NYSDFS within 24 hours of making an “extortion payment” in connection with a cybersecurity event.8 Further, within 30 days of making such a payment, the entity must also provide a written description of the reasons payment was necessary, a description of alternatives to payment considered, diligence performed to find payment alternatives, and diligence performed to ensure compliance with applicable regulations, including those of the Office of Foreign Assets Control.9
Cybersecurity Governance Obligations
Oversight by a Senior Governing Body. The Cybersecurity Regulations now require that an institution’s “senior governing body”—a board of directors, board committee, or equivalent governing body—oversee the regulated entity’s cybersecurity risk management.10 The senior governing body (or a senior officer) must approve the written policies for the protection of the entity’s information systems and NPI stored on those systems at least annually and must review regular management reports about cyber issues.11 Importantly, the senior governing body must have a “sufficient understanding of cybersecurity-related matters” and provide sufficient resources for managing the cybersecurity program.12
Responsibilities of the Chief Information Security Officer. Under the amended Cybersecurity Regulations, a CISO—a qualified individual responsible for overseeing and implementing a company’s cybersecurity program and enforcing its related policy—must provide to the senior governing body annual written reports that include plans for remediating “material inadequacies” in the cybersecurity program.13 The CISO must also “timely report” to the senior governing body material cyber issues, such as significant cybersecurity events and important changes to the cybersecurity program.14 Additionally, the CISO, along with the entity’s highest ranking executive, must annually certify compliance with the Cybersecurity Regulations to NYSDFS.15 It appears NYSDFS, like other regulators, is increasing focus on individual accountability for CISOs and may also begin enforcement actions in this area.
Enhanced Data Protection Measures
The amended Cybersecurity Regulations require the implementation of additional cybersecurity measures and controls. Regulated entities must:
- Perform a risk assessment at least annually incorporating threat and vulnerability analyses;
- Implement an incident response plan that contains proactive measures to investigate and mitigate cybersecurity events;
- Maintain business continuity and disaster recovery plan requirements that are tested annually;
- Develop procedures around maintaining a robust asset inventory, which includes a method to track key information for each asset, including the (1) owner, (2), location, (3) classification or sensitivity, (4) support expiration date, and (5) recovery time requirements; and
- Adopt multi-factor authentication (“MFA”) for remote access to information systems, third-party applications, and privileged accounts other than service accounts that prohibit interactive login.16
Enhanced Obligations for Large “Class A” Companies
The amendments create additional requirements for “Class A” companies, which include entities with a gross annual revenue of at least $20 million in each of the last two fiscal years from all business operations of the entity and the business operations in New York of the entity’s affiliates and (1) over 2,000 employees averaged over the last two fiscal years (including employees working at an affiliate) , or (2) more than $1 billion in gross revenue in each of the last two fiscal years from all operations of the entity and its affiliates.17 New obligations for “Class A” companies include:
- Independent audits of cybersecurity programs based on a risk assessment;
- A privileged access management solution;
- An automated method of blocking commonly used passwords for all accounts on information systems owned or controlled by the company and wherever feasible for all other accounts;
- An endpoint detection and response solution to monitor anomalous activity, including lateral movement; and
- A solution that centralizes logging and security event alerting.18
Enforcement
NYSDFS has indicated that the commission of a single act prohibited by the Cybersecurity Regulations, or the failure to comply with any portion of the regulations, constitutes a violation of Part 500. Specifically, such acts or failures include, without limitation (1) the failure to secure or prevent unauthorized access to an individual’s or an entity’s NPI due to noncompliance with any section, or (2) the material failure to comply for any 24-hour period with any section.19 Notably, however, NYSDFS will consider various mitigating factors that contributed to noncompliance including good faith, any history of prior violations, extent of harm to consumers, gravity of the violation, whether the incident was an isolated event, and accurate and timely disclosure to affected consumers.20
NYSDFS appears ready to vigorously enforce its cyber rules, although it has to date focused its investigations and enforcement actions on entities that have experienced reportable data breaches.
Looking Ahead
For many health insurance companies and other regulated entities, preparing to comply with the amended Cybersecurity Regulations will require substantial effort in the coming months. This will include updating policies and procedures, honing incident response capabilities to properly notify NYSDFS of a reportable cybersecurity event, and redefining governance procedures. The short transitional period before the updated reporting obligation comes into effect on December 1, 2023, which means that companies must quickly begin implementing or updating disclosure procedures to comply with this requirement.
***
If you have any questions concerning this Alert, please contact your usual Ropes & Gray advisor or one of the authors.
- Press Release, Governor Hochul Announces Updates to New York’s Nation-Leading Cybersecurity Regulations as Part of Sweeping Effort to Protect Businesses and Consumers from Cyber Threats (Nov. 1, 2023), https://www.dfs.ny.gov/reports_and_publications/press_releases/pr202311011.
- 23 NYCRR § 500.1(e).
- Under § 500.1(k), NPI means all “electronic information that is not publicly available information and is:
- business related information of a covered entity the tampering with which, or unauthorized disclosure, access or use of which, would cause a material adverse impact to the business, operations or security of the covered entity;
- any information concerning an individual which because of name, number, personal mark, or other identifier can be used to identify such individual, in combination with any one or more of the following data elements: (i) social security number; (ii) drivers’ license number or non-driver identification card number; (iii) account number, credit or debit card number; (iv) any security code, access code or password that would permit access to an individual’s financial account; or (v) biometric records;
- any information or data, except age or gender, in any form or medium created by or derived from a health care provider or an individual and that relates to: (i) the past, present or future physical, mental or behavioral health or condition of any individual or a member of the individual’s family; (ii) the provision of health care to any individual; or (iii) payment for the provision of health care to any individual.”
- Id. at § 500.22.
- Id. at § 500.19. Unless otherwise noted, this Alert does not address Part 500’s limited exemptions for small businesses.
- Id. at §§ 500.17; 500.1(g). The amendments refer to a reportable cybersecurity event as a “cybersecurity incident”—a revision made after commentators requested that NYSDFS use the term “cybersecurity incident” with respect to notification in order to align with reporting language in other regulations.
- Id. at § 500.17(a)(2).
- Id. at § 500.17(c)(1).
- Id. at § 500.17(c)(2).
- Id. at § 500.4(d). Alternatively, the senior officer or officers responsible for the entity’s cybersecurity program may serve as the senior governing body. Id. at § 500.1(q).
- Id. at §§ 500.3– 500.4.
- Id. at § 500.4(d)(1).
- Id. at § 500.4(b).
- Id. at § 500.4(c).
- Id. at § 500.17(b).
- Id. at §§ 500.09-500.16. With respect to MFA, if the regulated entity has a CISO, the CISO may approve in writing the use of reasonably equivalent or more secure compensating controls. Such controls shall be reviewed periodically, but at a minimum annually.
- Id. at § 500.01(d).
- Id. at §§ 500.02(c); 500.7(c); 500.14(b).
- Id. at 500.20(b).
- Id. at 500.20(c).
Authors
Stay Up To Date with Ropes & Gray
Ropes & Gray attorneys provide timely analysis on legal developments, court decisions and changes in legislation and regulations.
Stay in the loop with all things Ropes & Gray, and find out more about our people, culture, initiatives and everything that’s happening.
We regularly notify our clients and contacts of significant legal developments, news, webinars and teleconferences that affect their industries.