#New York

NYDFS Finalizes Second Amendment to Its Cybersecurity Regulation

November 14, 2023 By Kristy Brown, Kimberly Peretti, Kate Hanniford, Ashley Miller, Lance Taubin

On November 1, 2023, the New York Department of Financial Services (NYDFS) published the finalized Second Amendment to its Cybersecurity Regulation (23 NYCRR Part 500), which includes a number of significant and, for many covered entities, onerous changes to its original regulation. The finalized Second Amendment is much like the June 2023 proposed draft (which made certain revisions to the November 2022 draft). Covered entities should take note of these now-final changes that will require covered entities to review and revamp major components of their cybersecurity programs, policies, procedures, and controls to ensure they are in compliance. This is particularly important as the NYDFS continues to take on an active enforcement role following cyber events, marking itself as a leading cyber regulator in the United States.

Covered entities must notify the NYDFS of certain cybersecurity incidents, including providing notice within: (1) 72 hours after determining a cybersecurity event resulting in the “deployment of ransomware within a material part of the covered entity’s information system” occurred; and (2) 24 hours of making an extortion payment in connection with a cybersecurity event.

Covered entities must implement additional cybersecurity controls, including expanding their use of multifactor authentication and maintaining a comprehensive asset inventory. Covered entities are also required to maintain additional (or more prescriptive) cybersecurity policies and procedures, including ensuring that their incident response plans address specific delineated issues (outlined in the Second Amendment) and maintaining business continuity and disaster recovery plan requirements (both of which must be tested annually).

The most senior levels of the covered entity (senior governing body) must have sufficient knowledge to oversee the cybersecurity program. Additionally, the highest-ranking executive and the CISO are required to sign the covered entity’s annual certification of material compliance.

A material failure (which could be a single act) to comply with any portion of the Cybersecurity Regulation for a 24-hour period is considered a violation.

The Second Amendment became effective on November 1, 2023, and covered entities generally have 180 days to come into compliance with the new requirements. There are certain requirements, however, that will be phased in over the next two years. We have outlined the material changes and the effective dates below.

The NYDFS is providing a number of resources for covered entities, including a helpful visual overview of the implementation timeline for covered entities, Class A companies, and small businesses (NYDFS-licensed individual producers, mortgage loan originators, and other businesses that qualify for exemptions under Sections 500.19 (a), (c), and (d)). The NYDFS is also hosting a series of webinars to provide an overview of the Second Amendment; individuals can register for the webinars on the NYDFS’s website.

NY DFS Releases Revised Proposed Second Amendment of its Cybersecurity Regulation

July 13, 2023 By Kimberly Peretti, Kate Hanniford, Ashley Miller, Lance Taubin

The New York Department of Financial Services (“NY DFS”) published an updated proposed Second Amendment to its Cybersecurity Regulation (23 NYCRR Part 500) in the New York State Register on June 28, 2023, updating its previous proposed Second Amendment, which was published November 9, 2022. While the language proposed is largely similar to the previous draft, which we previously summarized, NY DFS incorporated a number of changes as a result of the 60-day comment period.

Below we outline some of the key revisions to the proposed Second Amendment of NY DFS’s Cybersecurity Regulation compared to the previously issued version from November 9, 2022:

Risk Assessment (§§ 500.01 & 500.09). NY DFS previously proposed (in the November 2022 draft) to revise the definition of “Risk Assessment,” which NY DFS has repeatedly emphasized is a core and gating requirement for compliance with the Cybersecurity Regulation, permitting covered entities to “take into account the specific circumstances of the covered entity, including but not limited to its size, staffing, governance, businesses, services, products, operations, customers, counterparties, service providers, vendors, other relations and their locations, as well as the geographies and locations of its operations and business relations.” By contrast, the newly proposed definition more formally defines the components of and inputs to the risk assessment: “Risk assessment means the process of identifying, estimating and prioritizing cybersecurity risks to organizational operations (including mission, functions, image and reputation), organizational assets, individuals, customers, consumers, other organizations and critical infrastructure resulting from the operation of an information system. Risk assessments incorporate threat and vulnerability analyses, and consider mitigations provided by security controls planned or in place.” The revised definition omits the explicit reference to tailoring and customization currently found in § 500.09. The removal of this language and codification of the risk assessment’s general parameters suggests that although risk assessments can and should be customized to some extent, NY DFS may expect risk assessments to address a more standard set of components that as a general framework is not open to customization.
- In addition, NY DFS removed the requirement that Class A companies (which are generally large entities with at least $20M in gross annual revenue in each of the last two fiscal years from business operations in New York, and over 2,000 employees, on average over the last two years, or over or over $1B in gross annual revenue in each of the last two fiscal years from all business operations) use external experts to conduct a risk assessment once every three years.
Multi-factor Authentication (“MFA”) (§ 500.12). NY DFS continues to stress the importance of MFA in the newly revised draft of the proposed Second Amendment by broadening the requirement (relative to the current MFA requirements and proposed draft from November 2022) and bringing it in alignment with the FTC’s amended Safeguards Rule. In the revised language, MFA is explicitly required to “be utilized for any individual accessing any of the covered entity’s information systems,” (with limited exceptions, outlined below); NY DFS removed from § 500.12(a), (1) the pre-requisite that MFA be implemented based on the covered entity’s risk assessment, and (2) the option of implementing other effective controls, such as risk-based authentication. By doing so, NY DFS appears to strongly recommend MFA implementation across the board, despite retaining the limited exception if the CISO approves in writing a reasonably equivalent or more secure compensating controls (and such controls must be reviewed periodically, and at least annually).
- For covered entities that fall under the limited exemption set forth in § 500.19(a), which are generally smaller covered entities (based on number of employees and/or annual revenue), MFA must at least be utilized for (1) remote access to the covered entity’s information systems, (2) remote access to third-party applications that are cloud-based, from which nonpublic information is accessible, and (3) all privileged accounts other than service accounts that prohibit interactive logins. As with all other covered entities, the CISO may approve, in writing, reasonably equivalent or more secure compensating controls, but such controls must be reviewed periodically, and at least annually.
Incident Response Plan (“IRP”) and Business Continuity and Disaster Recovery Plan (“BCDR”) (§ 500.16). NY DFS added an additional requirement that a covered entity’s IRP include requirements to address the root cause analysis of a cybersecurity event, describing how the cybersecurity event occurred, the business impact from the cybersecurity event, and remediation steps to prevent reoccurrence. NY DFS clarified that the IRP and BCDR must be tested at least annually, and must include the ability to restore the covered entities “critical data” and information systems from backup (but NY DFS does not define “critical data”). As noted in our previous summary, the concept of BCDR is new as of the Second Amendment and not currently in effect in the existing regulation.
Annual Certification of Compliance (§ 500.17(b)). NY DFS maintains its current requirement of an annual certification of compliance by a covered entity, but has adjusted the standard for certification from “in compliance” to a certification that the covered entity “materially complied” with the Cybersecurity Regulation during the prior calendar year. Although NY DFS does not define material compliance, this revision should provide some flexibility for covered entities to complete the certification. Going forward, covered entities would be presented with two options: (i) submit a written certification that it “materially complied” with the regulation (§ 500.17(b)(1)(i)(a)); or (ii) a written acknowledgment that it did not “fully comply” with the regulation (§ 500.17(b)(1)(ii)(a)), while also identifying “all sections…that the entity has not materially complied with” (§ 500.17(b)(1)(ii)(b)). It is unclear how NY DFS intends for covered entities to parse the distinction between material compliance and a lack of full compliance, but the requirement for the covered entity to list each section with which it was not in material compliance suggests that it may expect a section-by-section analysis of material compliance for purposes of completing the certification process.
Penalties (§ 500.20). Interestingly, NY DFS added that it would take into consideration the extent to which the covered entity’s relevant policies and procedures are consistent with nationally-recognized cybersecurity frameworks, such as NIST, in assessing the appropriate penalty for non-compliance with the Cybersecurity Regulation. DFS maintains its proposed amendment that a “violation” is: (1) the failure to secure or prevent unauthorized access to an individual’s or entity’s NPI due to non-compliance or (2) the “material failure to comply for any 24-hour period” with any section of the regulation.

The revised proposed Second Amendment are subject to a 45-day comment period, ending August 14, 2023.

CFPB Issues Preemption Determination that State Commercial Financing Disclosure Laws Are Not Preempted By TILA

May 5, 2023 By Aldys London, Aileen Ng

A&B Abstract:

The Consumer Financial Protection Bureau (CFPB) recently announced that it issued a final preemption determination concluding that certain state disclosure laws applicable to commercial financing transactions in California, New York, Utah, and Virginia are not preempted by the federal Truth in Lending Act (TILA). As covered in a previous post, we note that the California, Utah, and Virginia laws have already gone into effect, and New York’s is set to become effective on August 1, 2023.

State Commercial Lending Laws

After examining the state disclosure laws in California, New York, Utah, and Virginia, the CFPB recently affirmed that there is no conflict with TILA because the state laws extend disclosure protections to businesses seeking commercial financing, which are beyond the scope of TILA’s statutory consumer credit protections. Specifically, the CFPB determined that TILA only preempts state laws under conflict preemption, which the CFPB interprets to mean that TILA preempts state laws only if they are “inconsistent” with TILA.

In California, New York, and Utah, state laws require lenders to issue disclosures in certain commercial financing transactions, the purpose of which is generally defined to mean primarily for other than personal, family, or household purposes. This is in contrast to TILA’s application to consumer credit, which is extended primarily for personal, family, or household purposes. In December 2022, the CFPB made a preliminary determination that New York’s commercial financing disclosure law was not preempted by TILA because the state law regulates commercial financial transactions rather than consumer-purpose transactions.

In Virginia, disclosures are required in connection with “sales-based financing,” which is defined generally as a transaction in which the financing is repaid by the recipient based on a percentage of sales or revenue. “Recipient” means a person whose principal place of business is in Virginia and that applies for sales-based financing and is made a specific offer of sales-based financing by a sales-based financing provider. Based on these definitions, it appears that the Virginia law would not apply to a consumer credit transaction. However, the CFPB generally noted that, to the extent state law could apply to a consumer credit transaction, there would still be no inconsistency with TILA.

Accordingly, the CFPB found that the four states’ commercial financing disclosure laws are not inconsistent with and, therefore, not preempted by the federal TILA.

Takeaway

As states continue to propose and enact similar laws requiring disclosures in commercial financing transactions, an argument that federal law preempts such state laws is unlikely to succeed. Thus, companies should monitor ongoing state regulatory trends in commercial financing transactions to ensure compliance with the consumer-style disclosure requirements that may apply.

New York’s Commercial Finance Disclosure Law Set to Take Effect August 1, 2023

April 4, 2023 By Stephen Ornstein, Josh Dhyani

A&B Abstract:

New York is one of the first states that enacted laws requiring consumer-style disclosures for commercial financing transactions (the “New York Law”). Previously, the New York Department of Financial Services (“NYDFS”) issued guidance stating that compliance with the requirements would be delayed until it issued final implementing regulations. Those final regulations were published on February 1, 2023, with an effective date of August 1, 2023 (the “Final Regulations”).

The Final Regulations

The Final Regulations make a few significant changes from the proposed rules, primarily in response to public comments. For example:

First, New York’s law will apply only where a recipient’s business is principally managed or directed from the state of New York or where the recipient (if a natural person) is a legal resident of the state of New York. This is a change from positions taken in prior proposed versions of the rule, in which New York would have required the disclosures if either the provider or recipient was located in New York.
Second, the Final Regulations clarify that subsidiaries of financial institutions (in addition to the financial institutions themselves) are exempt from the law.
Third, the Final Regulations modify notice requirements related to transfers to adhere to UCC norms.
Fourth, while the Final Regulations still require broker compensation disclosures, it does not impose strict requirements on the format of those disclosures as originally proposed.
Finally, the Final Regulations relaxed strict signature requirements, allowing for disclosures to be provided electronically and by other reasonable means.

Takeaways

New York is among a growing list of states, which include California, Utah, and Virginia, that have enacted laws requiring consumer-style disclosures for commercial financing transactions. As we covered in a previous post, the New York Law has many similarities to the California law that became effective on December 9, 2022. However, New York’s Final Regulations apply to commercial financing transactions of $2.5 million or less, whereas the California regulations apply only to transactions of $500,000 or less. And, as covered in another prior post, Utah also requires registration and disclosures for certain commercial financing transactions of $1 million or less as of January 1, 2023. Notable as well, Virginia has enacted somewhat similar laws applicable to sales-based financing which apply to transactions on or after July 1, 2022. In general, these disclosure laws require specifically formatted lender statements, including the order of the content and respective font sizes. New York has not provided model forms.

While the California, Utah, and Virginia laws have already gone into effect, we expect additional states will also promulgate similar requirements in the future.

Merrily the State CRAs Roll Along

March 8, 2023 By Caroline Eisner

A&B ABstract:

While we wait on the final interagency rule from the Federal Reserve, OCC, and FDIC, Illinois and New York are continuing along with their state Community Reinvestment Acts (CRA).

Illinois CRA Developments

Illinois announced that it would hold public hearings, two on March 2, 2023 and a third on March 8, 2023, to discuss revisions to its proposed rulemaking. The comment period was extended to March 16 to accommodate these hearings and invite further public engagement on their final rule. The Illinois final rule, unlike the federal final rule, will not only apply to state-chartered banks, but also to state-licensed nonbank lenders and state-chartered credit unions. To that end, the three hearings are split among the three groups: the Bank Community Reinvestment hearing at 10 a.m. C.T. on March 2, the Mortgage Community Reinvestment hearing at 2 p.m. C.T. on March 2, and the Credit Union Community Reinvestment hearing will be at 1 p.m. C.T. on March 8. The hearings are to be conducted in person, with dial-in and WebEx accessibility. The IDFPR published the details for interested attendees in the Illinois Register here.

New York CRA Developments

New York, meanwhile, has updated the New York CRA regulations with additional data collection and reporting obligations in connection with minority- and women-owned businesses (“MWBEs”). New York revised its CRA statute effective January 2020 to underscore its commitment to serving MWBEs as well as low- and moderate-income communities. In furtherance to that revision, New York’s Department of Financial Services will now collect data concerning whether a loan or investment benefits MWBEs, in a manner consistent with fair lending laws. This record collection will enable institutions serving these communities to receive CRA consideration for their activities in their state CRA examinations. The NY CRA was amended in 2021 to apply to both state-chartered banks and state-licensed non-depository lenders.

Takeaway

It remains to be seen whether Illinois or New York will issue anything further before the prudential regulators come out with the much-anticipated final CRA rule. Conventional wisdom would anticipate their waiting, but with potential legal challenges to the final CRA rule under consideration by certain banking trade groups, the states may be ready to continue moving forward independently for now and synching back up again once the final federal CRA rules are in effect.