On July 29, 2022, the New York Department of Financial Services (“NYDFS”) released Draft Amendments to its Cyber Security Regulations. The Amendments, if adopted, would further regulatory trends and impose important new requirements on covered entities.
The Amendments contain three significant changes relating to ransomware. First, the Amendment specifically adds “the deployment of ransomware within a material part of the covered entity’s information system” as a cybersecurity event requiring notice to the superintendent within 72 hours. Under the current regulations, 72-hour notice would only be required if the ransomware required notice to another governmental body or had a reasonable likelihood of materially harming any material part of normal operations. Second, the Amendment would also require covered entities to notify the superintendent within 24 hours of making an extortion payment. And finally, the Amendment would require covered entities to provide within 30 days a written description of the reasons payment was necessary, a description of alternatives to payment considered, all diligence performed to find alternatives to payment, and all diligence performed to ensure compliance with applicable rules and regulations including those of the Office of Foreign Assets Control. If passed, this third component would represent a significant new obligation for covered entities, potentially changing the manner in which companies document ransomware responses.
In addition to the ransomware changes, the Amendments would also require, among other things: (1) multi-factor authentication for all privileged accounts, as well as for remote access to the network and enterprise and third-party applications from which nonpublic information is accessible; (2) increased expectations for board expertise; (3) significant restrictions on privileged accounts; and (4) annual independent cybersecurity audits for larger entities. The Amendments have a short comment period ending on August 8, 2022, followed by the publishing of the official proposed amendments, after which a 60-day comment period will occur.
Given the comment periods that will occur, it is premature to speculate as to the final form of the Amendments. However, based on the draft Amendments, it is safe to say that the NYDFS seems to be following the trend towards increased regulatory scrutiny. Covered entities should start assessing how significant the changes would be to comply.