NYDFS new draft amendments to cybersecurity law: Don’t blink or you will miss it
Cybersecurity, data security, and privacy laws are the fastest moving and evolving regulations in the country. Don’t blink, or you will miss an amendment or change existing law. The New York State Department of Financial Services (NYDFS) demonstrated just that in a recent draft amendment to its already strict cybersecurity law.
The NYDFS proposed amendments include:
Requirements for Class A Companies
Class A companies (entities including the covered entity and its affiliates of over 2,000 employees or $1 billion in gross annual revenue averaged over the last three fiscal years) will be subject to new requirements, including independent audits, vulnerability assessments at least weekly, password controls, and endpoint detection monitoring.
Covered entities will now need to implement and maintain a written policy or policies approved at least annually by the covered entity’s senior governing body (board of directors, equivalent governing body (or an appropriate committee thereof) Further, for other additions related to data governance or greater independence for the CISO, companies will need to perform tabletop exercises and incident response planning, and pay greater attention to business continuity and disaster recovery planning.
Covered entities will now require tailored risk assessments, meaning identifying cybersecurity risks to operational assets, individuals, customers, etc. Moreover, risk assessments must be updated annually, and covered entities must conduct a risk assessment whenever a change in business or technology impacts a material change to its cyber risk. Class A companies will be required to conduct a risk assessment through an external company at least once every three years.
No matter the size, a covered entity will now need to implement stricter access controls and data inventory (i.e., classification, location, sensitivity, recovery time, etc.) related to privileged accounts. Further, the access controls will require minimal access to users whose job functions require privileged accounts, MFA for all privileged accounts, and protocols that allow remote control of devices.
Covered entities will now need to maintain in writing an accurate and complete asset inventory as part of their cybersecurity program. This includes, at minimum, tracking critical information for its assets (as applicable): owner, location, classification or sensitivity, support expiration date, and recovery time requirements. This includes hardware assets, their operating systems and applications, and APIs and cloud services.
Business Continuity and Disaster Recovery Plan
Covered entities will also need to establish a plan that contains disaster recovery measures to ensure operational resilience. The plan must be designed to confirm the availability and functionality of the covered entity’s services in the event of an emergency or disruption. At the minimum, this should include: identifying critical data, infrastructure, personnel, supervisory personnel that can implement the BCDR plan, and a communication plan (including internal and external communications, backup facilities, data backups, and essential third parties. In addition to the plan being implemented, it must also be tested and revised periodically.
The most pertinent part of the new notifications is the requirement to notify the NYDFS within 24 hours of a ransom payment. Additionally, within 30 days of a ransom payment, covered entities will need to explain why they paid the ransom, if the covered entity considered alternatives and whether a sanctions check was performed. The general 72-hour notification requirement for a cybersecurity event remains intact and now includes cybersecurity events where an unauthorized user has gained access to a privileged account or ransomware events within a material part of the covered entity’s information system.
The most consequential part of any new law is the penalties. The NYDFS draft amendment lays out two primary penalties. First, a single act prohibited by the law or failure to satisfy obligations constitutes a violation. This includes a failure to notify the NYDFS of an actual or suspect cybersecurity incident. Second, the NYDFS lays out mitigation factors that it may consider when assessing fines and penalties. These include cooperation, good faith, intention, prior history of violations, the severity of the violation, harm to consumers, etc.
The bottom line is that companies need to be laser-focused on keeping pace with the changes in these types of laws. As the old saying goes, ignorance is no excuse under the law. The McDonald Hopkins’ Data Privacy and Cybersecurity team will continue to follow the latest changes on these and other privacy laws, and provide updates accordingly.
 If the covered entity does not have a board of directors, or equivalent governing body then the senior officer of the covered entity is responsible for the covered entity’s cybersecurity program.
 ) Privileged account means any authorized user account or service account that can be used to: (1) perform security-relevant functions that ordinary users are not authorized to perform, including but not limited to the ability to add, change, or remove other accounts, or make configuration changes to operating systems or applications to make them more or less secure; or (2) affect a material change to the technical or business operations of the covered entity.