Alston & Bird Consumer Finance Blog

Privacy and Cybersecurity

NY DFS Releases Revised Proposed Second Amendment of its Cybersecurity Regulation

By , ,

The New York Department of Financial Services (“NY DFS”) published an updated proposed Second Amendment to its Cybersecurity Regulation (23 NYCRR Part 500) in the New York State Register on June 28, 2023, updating its previous proposed Second Amendment, which was published November 9, 2022. While the language proposed is largely similar to the previous draft, which we previously summarized, NY DFS incorporated a number of changes as a result of the 60-day comment period.

Below we outline some of the key revisions to the proposed Second Amendment of NY DFS’s Cybersecurity Regulation compared to the previously issued version from November 9, 2022:

  • Risk Assessment (§§ 500.01 & 500.09). NY DFS previously proposed (in the November 2022 draft) to revise the definition of “Risk Assessment,” which NY DFS has repeatedly emphasized is a core and gating requirement for compliance with the Cybersecurity Regulation, permitting covered entities to “take into account the specific circumstances of the covered entity, including but not limited to its size, staffing, governance, businesses, services, products, operations, customers, counterparties, service providers, vendors, other relations and their locations, as well as the geographies and locations of its operations and business relations.” By contrast, the newly proposed definition more formally defines the components of and inputs to the risk assessment: “Risk assessment means the process of identifying, estimating and prioritizing cybersecurity risks to organizational operations (including mission, functions, image and reputation), organizational assets, individuals, customers, consumers, other organizations and critical infrastructure resulting from the operation of an information system. Risk assessments incorporate threat and vulnerability analyses, and consider mitigations provided by security controls planned or in place.” The revised definition omits the explicit reference to tailoring and customization currently found in § 500.09.  The removal of this language and codification of the risk assessment’s general parameters suggests that although risk assessments can and should be customized to some extent, NY DFS may expect risk assessments to address a more standard set of components that as a general framework is not open to customization.
    • In addition, NY DFS removed the requirement that Class A companies (which are generally large entities with at least $20M in gross annual revenue in each of the last two fiscal years from business operations in New York, and over 2,000 employees, on average over the last two years, or over or over $1B in gross annual revenue in each of the last two fiscal years from all business operations) use external experts to conduct a risk assessment once every three years.
  • Multi-factor Authentication (“MFA”) (§ 500.12). NY DFS continues to stress the importance of MFA in the newly revised draft of the proposed Second Amendment by broadening the requirement (relative to the current MFA requirements and proposed draft from November 2022) and bringing it in alignment with the FTC’s amended Safeguards Rule. In the revised language, MFA is explicitly required to “be utilized for any individual accessing any of the covered entity’s information systems,” (with limited exceptions, outlined below); NY DFS removed from § 500.12(a), (1) the pre-requisite that MFA be implemented based on the covered entity’s risk assessment, and (2) the option of implementing other effective controls, such as risk-based authentication. By doing so, NY DFS appears to strongly recommend MFA implementation across the board, despite retaining the limited exception if the CISO approves in writing a reasonably equivalent or more secure compensating controls (and such controls must be reviewed periodically, and at least annually).
    • For covered entities that fall under the limited exemption set forth in § 500.19(a), which are generally smaller covered entities (based on number of employees and/or annual revenue), MFA must at least be utilized for (1) remote access to the covered entity’s information systems, (2) remote access to third-party applications that are cloud-based, from which nonpublic information is accessible, and (3) all privileged accounts other than service accounts that prohibit interactive logins. As with all other covered entities, the CISO may approve, in writing, reasonably equivalent or more secure compensating controls, but such controls must be reviewed periodically, and at least annually.
  • Incident Response Plan (“IRP”) and Business Continuity and Disaster Recovery Plan (“BCDR”) (§ 500.16). NY DFS added an additional requirement that a covered entity’s IRP include requirements to address the root cause analysis of a cybersecurity event, describing how the cybersecurity event occurred, the business impact from the cybersecurity event, and remediation steps to prevent reoccurrence. NY DFS clarified that the IRP and BCDR must be tested at least annually, and must include the ability to restore the covered entities “critical data” and information systems from backup (but NY DFS does not define “critical data”). As noted in our previous summary, the concept of BCDR is new as of the Second Amendment and not currently in effect in the existing regulation.
  • Annual Certification of Compliance (§ 500.17(b)). NY DFS maintains its current requirement of an annual certification of compliance by a covered entity, but has adjusted the standard for certification from “in compliance” to a certification that the covered entity “materially complied” with the Cybersecurity Regulation during the prior calendar year.  Although NY DFS does not define material compliance, this revision should provide some flexibility for covered entities to complete the certification.  Going forward, covered entities would be presented with two options: (i) submit a written certification that it “materially complied” with the regulation (§ 500.17(b)(1)(i)(a)); or (ii) a written acknowledgment that it did not “fully comply” with the regulation (§ 500.17(b)(1)(ii)(a)), while also identifying “all sections…that the entity has not materially complied with” (§ 500.17(b)(1)(ii)(b)).  It is unclear how NY DFS intends for covered entities to parse the distinction between material compliance and a lack of full compliance, but the requirement for the covered entity to list each section with which it was not in material compliance suggests that it may expect a section-by-section analysis of material compliance for purposes of completing the certification process.
  • Penalties (§ 500.20). Interestingly, NY DFS added that it would take into consideration the extent to which the covered entity’s relevant policies and procedures are consistent with nationally-recognized cybersecurity frameworks, such as NIST, in assessing the appropriate penalty for non-compliance with the Cybersecurity Regulation.  DFS maintains its proposed amendment that a “violation” is: (1) the failure to secure or prevent unauthorized access to an individual’s or entity’s NPI due to non-compliance or (2) the “material failure to comply for any 24-hour period” with any section of the regulation.

The revised proposed Second Amendment are subject to a 45-day comment period, ending August 14, 2023.

CSBS Releases Cybersecurity Programs to Help Nonbank Financial Services Institutions Improve Cybersecurity Posture

By , , ,

A&B ABstract

On August 9, 2022, the Conference of State Bank Supervisors (CSBS) released two cybersecurity tools for nonbank financial services institutions to help them prepare for state cybersecurity examinations and, ultimately, improve cybersecurity maturity and protect financial institution infrastructure. These tools are designed to address key aspects of the Uniform Rating System for Information Technology; namely, Audit, Management, Development and Acquisition, and Support and Delivery. The CSBS also outlined the key documents that state examiners are likely request during examinations to help ensure nonbank financial services institutions are prepared to respond to examination questions.

CSBS Cybersecurity Tools

Developed by a multi-state team of cybersecurity examination experts, the Baseline Nonbank Cybersecurity Exam Program and the Enhanced Nonbank Cybersecurity Exam Program (the “Programs”) are a set of cybersecurity questions used by state examiners to assess the ability of nonbank financial services companies to comply with applicable cybersecurity and data protection requirements. While these Programs are optional resources, the CSBS encourages nonbank financial services institutions to leverage these Programs as prescriptive guidance in implementing and maintaining a compliant cybersecurity program.

The Baseline Nonbank Cybersecurity Exam Program is intended for small nonbank financial services institutions, whereas the Enhanced version is used by state examiners evaluating larger more complex nonbank financial services institutions (the distinction between which institutions fall under the Baseline vs the Enhanced Program are not specified). Both Programs cover four overarching areas of the Uniform Rating System for Information Technology (URSIT) – (1) Audit, (2) Management, (3) Development and Acquisition, and (4) Support and Delivery. Specifically, the examination covers a wide range of topics, such as executive oversight of the cybersecurity program, details on the institution’s network security, vendor management, cyber insurance, malware protection controls, patch management procedures, asset inventory, business continuity management and incident response plan.  The examination questions, where relevant, cite to the FTC Safeguards Rule, as amended (16 CFR § 314) which became effective January 10, 2022 (with the exception of a limited number of sections that are not enforceable until December 9, 2022).

The CSBS also provides a Document Request List, outlining key artifacts that state examiners may request (and have requested during past examinations) to help support the institutions’ response to the examination questions. Key artifacts include core policies and procedures, written information security programs, risk assessment(s), materials presented to the board/senior management discussing cybersecurity, vulnerability assessments, and patch deployment confirmation.

These Programs, according to CSBS’s Senior Vice President of Nonbank Supervision, Chuck Cross, are intended to streamline supervisory clarity and create a more resilient financial system. These Programs are a part of CSBS’ larger initiative to equip the industry with the necessary tools to protect the critical infrastructure of financial institutions; for example, it previously provided nonbanks with a Ransomware Self-Assessment Tool and a Cybersecurity 101 Guide for executives.

Takeaway

Through the Programs, CSBS has provided nonbank financial services institutions the ability to more adequately prepare for regulatory examinations by outlining core questions and artifacts. However, the cybersecurity regulations applicable to financial institutions continue to evolve, both on the federal and state level, requiring additional resources and expertise. It is also unclear how widely adopted these Programs will be by state regulators, particularly state regulators that have developed their own comprehensive cybersecurity examination questions (such as the New York Department of Financial Services), and there will likely continue to be differences across state regulatory examinations.

We will continue monitoring the guidance issued by CSBS and other financial industry participants and regulators with respect to the evolving cybersecurity compliance landscape.

Department of Justice Announces New Civil Fraud Cybersecurity Enforcement Team

By

On October 6, 2021, Deputy Attorney General Lisa O. Monaco announced the launch of the Department of Justice’s Civil Cyber-Fraud Initiative.  As Kellen Dwyer, Kim Peretti ,and Jon Knight report on the Privacy, Cyber & Data Strategy Blog, the Department plans to use civil enforcement tools to “pursue…those who are government contractors who receive federal funds, when they fail to follow required cybersecurity standards.”

Colorado Privacy Act Becomes Third Comprehensive State Privacy Act in the United States

By ,

The Colorado Privacy Act (CPA) became law when Governor Jared Polis signed the bill on July 7, 2021. The CPA is the third general state privacy law in the United States, following the Virginia Consumer Data Protection Act (CDPA) and the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA). Although the CPA does not provide an express private right of action, businesses that violate the Act may face liability for deceptive acts (and a civil penalty of $20,000 per violation), enforced by the Colorado attorney general and/or Colorado state district attorneys.

In a Privacy, Cyber & Data Strategy Advisory, our Privacy, Cyber & Data Strategy Team highlights some of the similarities and differences between Colorado’s new consumer privacy law and its older siblings in California and Virginia.

Colorado Becomes the Third State to Adopt a General Privacy Law

By

On July 7, Colorado became the third state behind California and Virginia to adopt a comprehensive privacy law when Governor Jared Polis signed the Colorado Privacy Act into law. The CPA contains many similarities to the Virginia Consumer Data Protection Act (VCDPA) and the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CPRA). But there are several key differences, including with respect to the scope of certain of the consumer privacy rights and the contract terms required in agreements with processors. Like CPRA but unlike the VCDPA, the statute mandates a formal rulemaking process. Notably, the law does not contain a private right of action, but a violation of the CPA is considered a deceptive trade practice and may result in a fine of $20,000 per violation. The CPA takes effect July 1, 2023.

Please contact our Privacy, Cyber & Data Strategy Team with any questions or for further guidance.