The New York State Department of Financial Services (NYSDFS) adopted amendments to its cybersecurity regulations. The amendments will mandate new controls, require more regular risk assessments and update notification requirements.
“This regulation continues the department’s transformative, data-driven approach to cybersecurity oversight,” New York State Superintendent of Financial Services Adrienne Harris said. “Cyberattacks are on the rise, and the updates require the financial services industry to institute stronger standards and controls to secure sensitive data. Expanded use of proven protections such as multifactor authentication will be required while maintaining the risk-based flexibility of the landmark cybersecurity regulations.”
The new rules strengthen NYSDFS’ risk-based approach to ensure that cybersecurity is integrated into regulated entities’ business planning, decision-making, and ongoing risk management. Key changes include:
- Enhanced governance requirements;
- Additional controls to prevent initial unauthorized access to information systems and to prevent or mitigate the spread of an attack;
- Requirements for more regular risk and vulnerability assessments, as well as more robust incident response, business continuity, and disaster recovery planning;
- Updated notification requirements including a new requirement to report ransomware payments; and
- Updated direction for companies to invest in at least annual training and cybersecurity awareness programs that anticipate social engineering attacks and that are otherwise relevant to their business model and personnel.
After the announcement that the amendments had been finalized, the New York State Land Title Association (NYSLTA) voiced its commitment to cybersecurity awareness and data privacy.
“NYSLTA has a long-standing commitment to promoting cybersecurity awareness and education. Protecting the privacy and security of our members and their customers is a top priority. We are stewards of our customers' critical non-public information,” NYSLTA Executive Vice President Robert Treuber said.
“When the amended regulations were first proposed last year, we submitted comprehensive comments to the NYS Department of Financial Services,” he continued. “We’re thoroughly reviewing the recently posted amended regulations, and we’re currently in the process of updating our compliance training program.
“Moving forward, NYSLTA will maintain our commitment to the cybersecurity of our member companies and will continue to support and collaborate with DFS’s efforts to enhance and improve cybersecurity.”
Limited exemptions
Most title and closing entities fall under the limited exemptions in Section 500.19, which states, “Each covered entity with:
- “Fewer than 20 employees and independent contractors of the covered entity and its affiliates;
- “Less than $7.5 million in gross annual revenue in each of the last three fiscal years from all business operations of the covered entity and the business operations in this state of the covered entity’s affiliates; or
- “Less than $15 million in year-end total assets, calculated in accordance with generally accepted accounting principles, including assets of all affiliates,
“Shall be exempt from the requirements of sections 500.4, 500.5, 500.6, 500.8, 500.10, 500.14(a)(1), (a)(2), and (b), 500.15 and 500.16 of this part.”
Cybersecurity programs and policies
Section 500.2 has few changes to its requirements.
“The noteworthy terminology difference is that now, in addition to maintaining and protecting the confidentiality, integrity, and availability of the covered entity’s information systems, it must also maintain and protect the confidentiality, integrity, and availability of consumers’ nonpublic information,” said Ryan Cabrita, chief information security officer, Gulotta Grabiner Law Group PLLC.
NYSDFS also amended Section 500.3 to state, “Each covered entity shall implement and maintain a written policy or policies, approved at least annually by a senior officer or the covered entity’s senior governing body for the protection of its information systems and nonpublic information stored on those information systems. Procedures shall be developed, documented and implemented in accordance with the written policy or policies. The cybersecurity policy or policies and procedures shall be based on the covered entity’s risk assessment and address, at a minimum, the following areas to the extent applicable to the covered entity’s operations:
- “information security;
- “data governance, classification and retention;
- “asset inventory, device management and end of life management;
- “business continuity and disaster recovery planning and resources;
- “systems operations and availability concerns;
- “systems and network security and monitoring;
- “security awareness and training;
- “systems and application security and development and quality assurance;
- “physical security and environmental controls;
- “customer data privacy;
- “vendor and third-party service provider management;
- “risk assessment;
- “incident response and notification; and
- ·vulnerability management.”
“At first glance, Section 500.3 Cybersecurity Policy may appear to have minor, insignificant changes. There are, however, a few notable changes,” Cabrita noted. “First, the covered entity (CE)’s written policies must be approved at least annually by a senior officer or senior governing body of the CE. Therefore, all CEs are now required to review and audit their cybersecurity-related policies at least annually so they can be properly approved. Additionally, the corresponding procedures to the policies must also be documented clearly.”
Access privileges and management
Section 500.7, regarding access privileges and management, was amended to require that, based on a CE’s risk assessment, the CE must include the following as part of its cybersecurity program:
- limit user access privileges to information systems that provide access to nonpublic information to only those necessary to perform the user’s job;
- limit the number of privileged accounts and limit the access functions of privileged accounts to only those necessary to perform the user’s job;
- limit the use of privileged accounts to only when performing functions requiring the use of such access;
- periodically, but at a minimum annually, review all user access privileges and remove or disable accounts and access that are no longer necessary;
- disable or securely configure all protocols that permit remote control of devices; and
- promptly terminate access following departures.
It also requires that CEs implement a written password policy that meets industry standards, something Cabrita said was an important change.
“An excellent amendment to the regulation was the requirement of a written password policy required to meet current industry standards,” he said. “Therefore, this requirement creates an ongoing duty of responsibility for the CE to regularly monitor industry best practices to meet minimum standards. Password policies include not only complexity, but also login attempts before lockout, lockout duration, and unlocking procedures. Because this article is not intended to cover our recommendations, we will not discuss them here. However, the National Institute of Standards and Technology (NIST) publications are a great place to start for many compliance-related matters, including a proper password policy.”
Risk assessments
The section on risk assessments, Section 500.9, was amended to state, “Each covered entity shall conduct a periodic risk assessment of the covered entity’s information systems sufficient to inform the design of the cybersecurity program as required by this part. Such risk assessment shall be reviewed and updated as reasonably necessary, but at a minimum annually, and whenever a change in the business or technology causes a material change to the covered entity’s cyber risk. The covered entity’s risk assessment shall allow for revision of controls to respond to technological developments and evolving threats and shall consider the particular risks of the covered entity’s business operations related to cybersecurity, nonpublic information collected or stored, information systems utilized and the availability and effectiveness of controls to protect nonpublic information and information systems.”
Multi-factor authentication
Cabrita said that amendments to Section 500.12 on multi-factor authentication (MFA) are important because companies with limited exemptions have not had to comply with these requirements in the past.
“It is very important that companies recognize this significant change,” he said. “Now all covered entities are required to implement multi-factor authentication if an individual, regardless of whether they are a direct employee with the covered entity or not, is accessing any of the covered entity’s information systems remotely. Even if your IT consultant or a consumer is accessing your information systems remotely in anyway, you still need to enforce multi-factor authentication.”
Cabrita also noted MFA is required when accessing third-party applications where nonpublic information is accessed. Any privileged accounts (e.g., admin) where an interactive login is required must also have MFA implemented.
Asset management and data retention requirements
NYSDFS has amended Section 500.13 to add a new provision that states, “As part of its cybersecurity program, each covered entity shall implement written policies and procedures designed to produce and maintain a complete, accurate and documented asset inventory of the covered entity’s information systems. The asset inventory shall be maintained in accordance with written policies and procedures.”
The policies and procedures must include, at minimum, a method to track key information for each asset, including, as applicable, the following:
- ·owner;
- location;
- classification or sensitivity;
- support expiration date; and
- recovery time objectives;
It must also include the frequency required to update and validate the CE’s asset inventory.
Training
While CEs with limited exemptions do not have to comply with most of Section 500.14, they must comply with Section 500.14(a)(3), which requires that a CE “provide periodic, but at minimum annual, cybersecurity awareness training that includes social engineering for all personnel that is updated to reflect risks identified by the covered entity in its risk assessment.”
Cabrita noted that the requirement highlights social engineering.
“My recommendation, especially because social engineering was discussed specifically, is to conduct monthly, or at least quarterly, phishing simulation trainings, which would keep employees up-to-date on the current and most recent phishing scams out there to keep them on the lookout,” he said.