As discussed prior, in late 2022 the New York Department of Financial Services (“DFS”) published proposed amendments to its Cybersecurity Regulation, 23 NYCRR Part 500 (“Proposed Amendments”). If the Proposed Amendments are adopted, they would go into effect sometime in 2023, especially given that the public comment period expires near the end of March 2023. Thus, if not already accomplished or scheduled, an entity would be wise to prepare in advance for the Proposed Amendments and prioritize a detailed review of its cybersecurity programs and its plan to meet the increased obligations.
As indicated, the Proposed Amendments would, amongst others, increase cybersecurity accountability at the executive and board levels. This includes requiring more due diligence – including written analysis and reasoning for responses to cybersecurity incidents – as well as increasing security measures, training and monitoring, along with more robust risk assessments with annual audits. Specifically, the Proposed Amendments require the board to “have sufficient expertise and knowledge or be advised by persons with sufficient expertise and knowledge, to exercise effective oversight of cybersecurity risk management.” In sum, it appears that DFS is laying the foundation for increased examinations and fines by intensifying scrutiny of board members and executives.
DFS has already assessed multi-million dollar fines against entities for non-compliance in the context of a cybersecurity incidents. Thus, by increasing obligations for boards and executives, DFS can be even more efficient and punitive given that responsibility starts at the top of an organization. For example, consider these additional obligations with regard to a written security policy. It will no longer suffice that an entity has a written security policy that has been distributed. The Proposed Amendments will require an entity to not only maintain a written security policy but to also prove implementation, conduct annual audits, and demonstrate how the policy has been adjusted based upon risk assessments and the threat landscape. Most importantly, the Proposed Amendments require the board to review and approve the policies, and the annual certification must be signed by the CEO and CISO.
In other words, DFS is completing its transition from carrot to stick and entities should heed this change. An entity would be wise to fully prepare for passage of the Proposed Amendments and prioritize a thorough review of its Cybersecurity programs to determine how it will meet the increased obligations for its board and executives, including solutions to operationalize regular oversight and implementation.
Written by John J. Cooney, Esq
With over a combined 25 years of business, legal, and technical experience, The Law Office of John J. Cooney, P.C. offers comprehensive legal strategies and solutions for businesses working seamlessly with management and any existing counsel in an efficient manner. John’s firm concentrates on General Counsel services, Pre-Litigation Investigation, Defense, and Compliance services, as well as the Cybersecurity arena.