Fintech Companies Prepare for Upcoming Updates to NY Cybersecurity Regulation | Foley Hoag LLP – Security, privacy and the law

[author: Benjamin Kalman]

Proposed changes to 23 NYCRR part 500

If you are an information security manager (“CISO”) of a fintech company operating in New York, you may already be aware that on November 9, 2022, the New York State Department of Financial Services (“DFS“) proposed another change to 23 NYCRR Part 500 (the “DFS Cybersecurity Regulation“). While many of the requirements included in the original 2017 DFS Cybersecurity Regulation remain, the proposed amendments impose increased requirements on companies covered by the regulation.

Here are some important tips about the proposed changes for fintech companies (and technology companies in general):

  • Covered units. The definition of “covered entity” remains largely the same under the proposed changes. A fintech company will be considered a “covered entity” under 23 NYCRR Part 500 if it is subject to licensing, registration, or other requirements under the New York State Banking Law, Insurance Law, or Financial Services Law. While a comprehensive review of such claims is beyond the scope of this blog post, please note that all companies (with some enumerated exceptions) are engaged in the “business of selling or issuing checks” and “the business of receiving money for remittance or transfer of the same” (READ: money transmitters) must be licensed under section 641(1) of the Banking Act, and can therefore be considered a “covered entity” under the DFS Cybersecurity Regulation.
  • Class A companies. The proposed amendments introduce a new class of regulated entities: “Class A companies“. Class A corporations are defined as covered entities with at least $20 million in gross annual sales (across all affiliated entities) in New York State in each of the last two fiscal years, and either (1) 2,000 employees (across all affiliated entities, regardless of location), or (2) over $1 billion in gross annual revenue (again, across all affiliated entities) in each of the last two fiscal years. If enacted in their current form, the proposed amendments would add the following increased requirements for Class A companies (among others):
    • Conduct an independent audit of the company’s cyber security programs at least annually;
    • Implementation of a automated method to block common passwords for all user accounts;
    • Engaging external experts to carry out risk assessments at least once every third year;
    • Implement an endpoint detection and response solution to monitor abnormal activityalong with a solution that centralizes logging and security event notification.

What can you do?

For all covered entities (including the newly defined “Class A companies”), compliance with the proposed changes will require a comprehensive review (and potential overhaul) of existing cybersecurity policies. However, in preparation for the proposed changes to come into effect (which could happen any time in 2023), there are some preliminary steps to take and important timelines to keep in mind:

  • With immediate effect
    • Annual certification. A number of provisions will come into force immediately after the effective date of the proposed second amendment (“Effective date“). Such a provision requires covered entities to prepare and submit to DFS a “Certification of Compliance” either (i) certifying that the covered entity complied with the regulation, or (ii) acknowledging that the entity did not comply, identifying areas of noncompliance, identifying all areas, systems and processes that require material improvement, and provide plans for improvement. This certification must be signed by the covered entity’s “highest-ranking executive” and its CISO (or the senior officer responsible for the covered entity’s cybersecurity program in the absence of a CISO).
  • Thirty days
    • Within thirty days of the effective date, covered entities must ensure that cybersecurity policies reflect the following:
      • Ransomware. In the event a ransom is paid in response to a ransomware attack, Covered Entities must:
        • 1) Notify DFS within 24 hours of payment; and
        • 2) Within 30 days of the payment, provide DFS with a written statement explaining why the payment was made (in addition to other points).
      • Cyber ​​Security Attack Alert. The proposed changes retain the requirement to notify DFS within 72 hours of a cybersecurity incident; However, the proposed changes expand the list of types of cybersecurity incidents that are subject to this notification requirement, and add that covered entities must further:
        • Provide any information “regarding the investigation of the cybersecurity incident” that DFS requests within 90 days of a cybersecurity incident; and
        • Notify DFS within 72 hours of a cyber security incident on a third party service provider.
  • One year
    • Backups. Within one year of the Effective Date, Covered Entities must maintain backups that are adequately protected against unauthorized modification or destruction.
  • Eighteen months
    • Within eighteen months of the Effective Date, Covered Entities’ cybersecurity policies must include the following policies and procedures:
      • Scanner. Going forward, covered entities will be required to conduct annual automated scans of information systems (and manually review systems not covered by automated scans) to analyze and report on vulnerabilities.
      • Password policy. Covered Entities must implement written password protection policies that meet “industry standards.” As mentioned above, Class A companies will have additional and increased requirements.
      • Multi-factor authentication (MFA). Covered Entities must use MFA for (1) remote access to information systems, (2) remote access to third-party applications (including cloud-based applications), and (3) all privileged accounts.
      • Protection against malicious code. Covered Entities must implement controls that protect against malicious code (including monitoring and filtering of web traffic and e-mail).
  • Two years
    • Asset warehouse. Within two years of the effective date, covered entities must implement written policies and procedures designed to “ensure a complete, accurate and documented asset inventory.”

As noted above, this information should be viewed as a starting point and not as an exhaustive list of actions that must be taken when the proposed changes come into force. Companies must review the proposed changes thoroughly to understand all updated obligations. This is particularly relevant given the updates to the enforcement-related provisions of the proposed amendments, which provide that failure to meet obligations required under the regulation for as little as 24 hours may result in the DFS assessing a penalty.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *