The New York Department of Financial Services (“DFS”) recently released a proposed second amendment to the Cybersecurity Regulation, 23 NYCRR Part 500 (“Proposed Amendments”), which if adopted would go into effect sometime in 2023. The Proposed Amendments address a number of topics, which in sum, impose several more detailed obligations concerning corporate governance responsibility, reporting, and risk assessments. In short, entities need to actively reassess their cybersecurity programs, coordination, and governance in light of the upcoming obligations.
As indicated, the Proposed Amendments require increased corporate governance. For instance, the board of directors will be more responsible for the governance of cybersecurity risk. Specifically, the board (or equivalent) is required to “have sufficient expertise and knowledge or be advised by persons with sufficient expertise and knowledge, to exercise effective oversight of cybersecurity risk management.” Given the increased knowledge and expertise required of the board, DFS then imposes another obligation and will require the board to annually approve the cybersecurity policy. In other words, there is nowhere to hide and the responsibility to assess and mitigate cybersecurity risk will now involve the most senior levels.
Another example of increased obligations is incident reporting. DFS will require an entity to notify DFS within 24 hours of a ransomware (or any extortion type) payment and follow up with a written explanation about why the payment was necessary, alternatives considered, and all due diligence performed. In short, DFS is getting much more in depth to the analysis and decision making within an entity. Once again, it is important to remember that your incident response team should be comprised of cybersecurity and legal professionals to assess and determine the incident response as well as what information can and should be provided to DFS, especially in light of attorney-client privilege protections.
On a final note, another interesting detail is that the Proposed Amendments will require an entity to not only maintain a written security policy but to now document how the policy has been implemented and enhanced via risk assessments. For instance, entities will be required to conduct annual audits of their risk assessment strategies and update the policies and programs accordingly. In short, a written policy without proof of implementation and consistent vigilance will no longer suffice. The new policy and risk assessment requirements will require a lot of thought and an entity should look for solutions to operationalize regular oversight, documentation, and implementation of its respective security policies and programs.
In summary, the Proposed Amendments should not be a surprise. DFS has signaled for quite a while that it would become more detailed and stringent with regard to the respective Cybersecurity obligations. An entity would be wise to fully prepare for passage of the Proposed Amendments and prioritize a thorough review of its Cybersecurity programs and how it will meet the increased obligations.
Written by John J. Cooney, Esq
With over a combined 25 years of business, legal, and technical experience, The Law Office of John J. Cooney, P.C. offers comprehensive legal strategies and solutions for businesses working seamlessly with management and any existing counsel in an efficient manner. John’s firm concentrates on General Counsel services, Pre-Litigation Investigation, Defense, and Compliance services, as well as the Cybersecurity arena.