New York-licensed financial services companies (“covered entities” under the regulation) have been required to maintain written incident response plans since 2017, when New York’s Department of Financial Services first enacted its comprehensive Cybersecurity Regulation. But last year’s amendments – which became effective November 1, 2023, with phased compliance timelines – ratcheted up on specifics.  On top of pre-existing requirements, beginning this Friday written incident response plans must also address each of the following key areas:

• Recovery from backups.
• Preparation of root cause analysis that describes how and why the event occurred, what business impact it had, and what will be done to prevent reoccurrence.
• Updating of incident response plans as necessary.

The emphasis on backups does not stop there. Starting Friday, covered entities are explicitly required to maintain backups “necessary to restore material operations[,]” which must be “adequately protected from unauthorized alterations or destruction.” Covered entities must test their ability to restore critical data and information systems from backups at least annually and train responsible employees on how to carry out recovery procedures. 

The focus on proper maintenance and testing of backups makes sense, given that the viability of backups can make the difference between a multi-million-dollar ransom payment, on the one hand, and a seamless recovery from a ransomware attack, on the other. The Department recommends against paying ransoms, so the amendments seem wisely tailored to helping covered entities avoid getting stuck between a rock and a hard place. The guidance provides that covered entities should maintain comprehensive backups that will allow recovery in the event of a ransomware attack – including at least one set of backups that is segregated from the network and completely offline.

Other requirements taking effect this Friday include the following:

• Business Continuity and Disaster Recovery plan. In addition to written incident response plans, covered entities must also maintain a written BCDR plan that is reasonably designed to ensure the availability and functionality of the covered entity’s information systems and material services and protect the covered entity’s personnel, assets, and nonpublic information in the event of a cybersecurity-related disruption to its normal business activities. 
• New requirements for CISOs. Covered entities must appoint a Chief Information Security Officer, who must timely report material cybersecurity issues to the senior governing body or senior officer(s). This includes significant cybersecurity events and significant changes to the covered entity’s cybersecurity program.
• Senior governing body must exercise oversight of cybersecurity and risk management matters. The senior governing body of the covered entity must exercise oversight of the covered entity’s cybersecurity risk management – which includes having sufficient understanding of cybersecurity-related matters to exercise that oversight. The senior governing body must also require executive management (or its designees) to develop, implement, and maintain the cybersecurity program; regularly receive and review management reports about cybersecurity matters; and confirm that management has allocated sufficient resources to implement and maintain the cybersecurity program.
• Nonpublic information must be encrypted while in transit and while “at rest.” A covered entity must implement a written policy requiring encryption that meets industry standards to protect nonpublic information held or transmitted by the covered entity – both while in transit over external networks, and while “at rest.” The feasibility of encryption and effectiveness of the compensating controls must be reviewed by the CISO at least once a year.
• Small businesses no longer exempt from multi-factor authentication requirement. Previously, entities meeting the criteria for the small business classification were exempt from Section 500.12, which requires covered entities to use multi-factor authentication for remote access.  That exemption will end this Friday. The amendments require small businesses to use MFA for (1) remote access to the covered entity’s information systems; (2) remote access to third-party applications, including but not limited to those that are cloud-based, from which non-public information is accessible; and (3) all privileged accounts other than service accounts that prohibit interactive log-in.

The Constangy Cyber Team assists businesses of all sizes and industries with implementing necessary updates to their privacy and compliance programs to address these complex and evolving developments. If you would like additional information on how to prepare your organization, please contact us at cyber@constangy.com.