New York’s Cybersecurity Regulation continues its phased roll-out on November 1, when licensed financial services companies face a host of new requirements aimed at bolstering breach readiness and improving their ability to recover from disastrous situations. Companies will be required to put in writing how they would address several common pressure points in the breach response and mitigation process – including how they plan to recover from backups if critical data is lost.
New York-licensed financial services companies (“covered entities” under the regulation) have been required to maintain written incident response plans since 2017, when New York’s Department of Financial Services first enacted its comprehensive Cybersecurity Regulation. But last year’s amendments – which became effective November 1, 2023, with phased compliance timelines – ratcheted up on specifics. On top of pre-existing requirements, beginning this Friday written incident response plans must also address each of the following key areas:
- Recovery from backups.
- Preparation of root cause analysis that describes how and why the event occurred, what business impact it had, and what will be done to prevent reoccurrence.
- Updating of incident response plans as necessary.
The emphasis on backups does not stop there. Starting Friday, covered entities are explicitly required to maintain backups “necessary to restore material operations[,]” which must be “adequately protected from unauthorized alterations or destruction.” Covered entities must test their ability to restore critical data and information systems from backups at least annually and train responsible employees on how to carry out recovery procedures.
The focus on proper maintenance and testing of backups makes sense, given that the viability of backups can make the difference between a multi-million-dollar ransom payment, on the one hand, and a seamless recovery from a ransomware attack, on the other. The Department recommends against paying ransoms, so the amendments seem wisely tailored to helping covered entities avoid getting stuck between a rock and a hard place. The guidance provides that covered entities should maintain comprehensive backups that will allow recovery in the event of a ransomware attack – including at least one set of backups that is segregated from the network and completely offline.
Other requirements taking effect this Friday include the following:
- Business Continuity and Disaster Recovery plan. In addition to written incident response plans, covered entities must also maintain a written BCDR plan that is reasonably designed to ensure the availability and functionality of the covered entity’s information systems and material services and protect the covered entity’s personnel, assets, and nonpublic information in the event of a cybersecurity-related disruption to its normal business activities.
- New requirements for CISOs. Covered entities must appoint a Chief Information Security Officer, who must timely report material cybersecurity issues to the senior governing body or senior officer(s). This includes significant cybersecurity events and significant changes to the covered entity’s cybersecurity program.
- Senior governing body must exercise oversight of cybersecurity and risk management matters. The senior governing body of the covered entity must exercise oversight of the covered entity’s cybersecurity risk management – which includes having sufficient understanding of cybersecurity-related matters to exercise that oversight. The senior governing body must also require executive management (or its designees) to develop, implement, and maintain the cybersecurity program; regularly receive and review management reports about cybersecurity matters; and confirm that management has allocated sufficient resources to implement and maintain the cybersecurity program.
- Nonpublic information must be encrypted while in transit and while “at rest.” A covered entity must implement a written policy requiring encryption that meets industry standards to protect nonpublic information held or transmitted by the covered entity – both while in transit over external networks, and while “at rest.” The feasibility of encryption and effectiveness of the compensating controls must be reviewed by the CISO at least once a year.
- Small businesses no longer exempt from multi-factor authentication requirement. Previously, entities meeting the criteria for the small business classification were exempt from Section 500.12, which requires covered entities to use multi-factor authentication for remote access. That exemption will end this Friday. The amendments require small businesses to use MFA for (1) remote access to the covered entity’s information systems; (2) remote access to third-party applications, including but not limited to those that are cloud-based, from which non-public information is accessible; and (3) all privileged accounts other than service accounts that prohibit interactive log-in.
The Constangy Cyber Team assists businesses of all sizes and industries with implementing necessary updates to their privacy and compliance programs to address these complex and evolving developments. If you would like additional information on how to prepare your organization, please contact us at cyber@constangy.com.
- Partner
David is a partner in Constangy's New York office and a member of the Constangy Cyber Team. David assists clients in identifying, remediating and responding to a wide variety of data security incidents, including overseeing ...
The Constangy Cyber Advisor posts regular updates on legislative developments, data privacy, and information security trends. Our blog posts are informed through the Constangy Cyber Team's experience managing thousands of data breaches, providing robust compliance advisory services, and consultation on complex data privacy and security litigation.
Subscribe
Contributors
- Suzie Allen
- John Babione
- Bert Bender
- Ansley Bryan
- Jason Cherry
- Christopher R. Deubert
- Maria Efaplomatidis
- Sebastian Fischer
- Laura Funk
- Lauren Godfrey
- Taren N. Greenidge
- Chasity Henry
- Julie Hess
- Sean Hoar
- Donna Maddux
- David McMillan
- Ashley L. Orler
- Todd Rowe
- Melissa J. Sachs
- Allen Sattler
- Brent Sedge
- Matthew Toldero
- Alyssa Watzman
- Aubrey Weaver
- Xuan Zhou