NY-DFS Proposes Updated Cyber Rule

Big news for audit and GRC professionals in the financial services world: the New York Department of Financial Services has proposed numerous updates to its Cybersecurity Rule, which would place more responsibilities on the CISO and impose more exacting standards for cybersecurity policies, procedures, and other control activities. 

The Department of Financial Services (DFS) unveiled the proposed updates on Wednesday. They will now be open for public comment until early January, and then DFS will study the comments and either repropose a new version or adopt a final rule, presumably sometime next year. 

To be clear, these updates would only apply to businesses that sell financial services in the state of New York, not all companies — but that still covers a lot of businesses, including banks, insurance firms, cryptocurrency startups, plus non-financial companies that offer those services to New York residents. (For example, earlier this year DFS went after Carnival Corp. for weak cybersecurity protections because Carnival sells travel insurance to New Yorkers as part of its cruise and vacation offerings.)

The proposed new rule would group covered businesses by size into three tiers, so that more small companies would be exempt from some portions of the Cybersecurity Rule. Only the largest companies, dubbed “Class A companies” in the proposal,  would be subject to all parts. Class A companies would be defined as any business whose New York operations generate more than $20 million in annual revenue for the prior two fiscal years, and either:

• Averages 2,000 or more employees averaged over the last two fiscal years, no matter where those people are located; or
• Had more than $1 billion in annual revenue for the last two fiscal years across all operations.

DFS didn’t provide an estimate of how many companies might qualify as Class A, but clearly most large firms that sell financial services into the state of New York would qualify. Moreover, most of the proposed new rule would apply to all covered businesses anyway regardless of their size. 

The DFS Updates in Detail

So exactly what new items are included in the proposed updates? DFS released an exposure draft of the new rule, with new text underlined and text to be deleted in brackets. Some of the highlights are as follows.

Annual independent audits of the cybersecurity program. That one only applies to those Class A companies mentioned above, but obviously this would be an expensive item. It also raises interesting questions about the annual financial or SOX compliance audit, which in theory also addresses cybersecurity.

More responsibilities and reporting duties for the CISO. Under the proposed updates, the CISO must have adequate authority “to ensure cybersecurity risks are appropriately managed, including the ability to direct sufficient resources to implement and maintain a cybersecurity program.” That last part about directing sufficient resources almost sounds like it encroaches on setting budgets; it could make for some interesting conversations with the CFO.

The CISO would also need to make more reports to senior management, too. The existing Cybersecurity Rule already required the CISO to make annual reports to senior management. Under the new rule, those reports would need to include discussion of how the CISO plans to remediate any material weaknesses in the security program. The CISO would also need to make additional reports, such as any time the business suffers a “material cybersecurity issue” or whenever the business updates its cybersecurity risk assessment.

Expanded responsibilities for asset management and data retention. Companies will need to adopt written policies and procedures “designed to ensure a complete, accurate and documented [IT] asset inventory.” Those policies and procedures will need to include a method for tracking important information about each IT asset, including its location, owner, support expiration date, and classification or sensitivity. (That last one applies more to types of data you possess, not hardware.)

Moreover, companies will also need to adopt a written policy for the disposal and destruction of nonpublic information that’s “no longer necessary for business operations or for other legitimate business purposes.” This is notable because poor data destruction practices have played a starring role in several enforcement cases lately, such as DFS’ sanction against EyeMed last month and the SEC’s action against Morgan Stanley in September. 

More demanding standards for vulnerability management. The proposed new rule specifies that penetration tests are required each year, and that those tests must be done from both inside and outside the boundaries of your IT systems. You would also need to document all material issues discovered during those tests and report them to senior management.

Companies would also need to develop a monitoring process to assure that the cybersecurity team is promptly informed of new security vulnerabilities. Those are the security flaws, configuration errors, and other headaches that a company typically can fix, and easily, if the security team knows about the issue and gets off its duff to implement a patch.

More expansive use of multi-factor authentication. The updated rule would require companies to use multi-factor authentication for:

• remote access to the covered entity’s information systems; 
• remote access to third-party applications that contain or process nonpublic information; and 
• all privileged accounts.

In theory a company could avoid this requirement if you introduce compensating controls and the CISO approves them in writing; but even then, the CISO would need to review and re-approve those controls annually.

Compliance and GRC Implications

One point that strikes me about DFS’ proposed updates is how similar they are to what other agencies have been saying about good cybersecurity lately. 

For example, the Consumer Financial Protection Bureau recently published its expectations for good cybersecurity, where multi-factor authentication and prompt updates for ERP software patches were top priorities. The Federal Trade Commission has published a spate of enforcement actions on cybersecurity this fall, where the lack of data disposal policies was an issue. DFS’ new requirements for multi-factor authentication are identical to the best practices recommended earlier this year by CISA, the country’s top cybersecurity regulator.

So as much as companies might complain that they face a flood of cybersecurity regulation, the picture might not be that dire in practice. Many regulations (or regulators’ demands that we divine through enforcement actions) are converging on a few basic practices that any large company should have. 

The trick to navigate all that will be using a GRC tool that can map your various cybersecurity regulatory obligations and identify which controls or policies overlap. You’re likely to find that a lot of them do.

Another point, however, is that success with all these regulations will depend hugely on how much senior management and the board truly want to grapple with cybersecurity. 

Like, go back to that requirement that the CISO will need to make more reports to the board and senior management. Then what? If senior management doesn’t want, or doesn’t know how, to weave cybersecurity into its business strategy, then the CISO will spend a lot of time making reports and putting out each day’s cybersecurity fire — but that won’t help the company to be a resilient organization that can prevail against the tumultuous security environment that exists today.