On June 28, 2023, New York’s Department of Financial Services (DFS) published a revised proposed Second Amendment to its Part 500 Cybersecurity Rules which imposes heightened cybersecurity obligations on large financial institutions. We intend to submit a second round of comments supporting the positive changes that were made and providing additional reasons why the suggested changes that were not made should be incorporated. We welcome any input that you would like to see reflected in those comments.
Comments to DFS are due by 5:00 p.m. ET on August 14, 2023.
DFS published an initial proposed Second Amendment in November of last year and this version incorporates changes based on comments gathered in the initial 60-day comment period that ended on January 9, 2023. The Council and WSIA submitted joint comments on the proposed Amendment focusing on four key areas:
- Deletion of a duplicative provision regarding exemptions for agents/employees
- The broad definition of “Class A companies” and its treatment of affiliates
- Duplicative auditing requirements on Class A companies
- Lack of clarity on the exception regarding automated password blocking
Below we summarize the key areas of concern outlined in our initial letter and indicate where DFS accepted our suggestions and where we intend to press for further changes. We will be assessing the revisions in more detail in the coming weeks and welcome any additional suggestions to include in our second round of comments.
A redline of DFS’s changes can be found here.
➔ Deletion of § 500.11(c)
We asked DFS to clarify our reading that the deletion of the limited exemption for agents and employees (§500.11(c)) represents a technical fix to the regulation rather than a material change (given the existing general exemption in §500.19 (b) that was unaltered).
- DFS retained the deletion in 500.11(c) and did not provide further guidance. DFS did also revise the exemption in §500.19 (b) to include “wholly-owned subsidiaries” in the list of entities that are exempt from developing their own cyber programs.
➔ Definition of Class A Companies
Our initial comments expressed concern about the broad definition of “Class A company” and its expansive use of “affiliates” in defining such companies.
- DFS accepted our suggestion that affiliates include only those that share information systems, cybersecurity resources or all or any part of a cybersecurity program with the covered entity.
- DFS did not incorporate our suggestion that affiliates only be swept in if they themselves qualify as a “covered entity.” We will follow up on this issue.
➔ Auditing Requirements
Our comments noted that the requirement that Class A companies conduct an annual independent audit AND engage external experts to conduct a risk assessment every three years would be unnecessarily duplicative.
- DFS accepted our suggestion and eliminated the additional requirement that Class A companies conduct an external risk assessment every three years. They also clarified the definition of “independent audit” to include internal as well as external auditors.
➔ Password Blocking
The provision requiring an automated method of blocking commonly used passwords contains an exception for “infeasibility” allowing the entity’s chief information security officer to instead use “reasonably equivalent or more secure compensating controls.” We sought clarification on what would be considered reasonably equivalent in such a circumstance.
- The provision remains unchanged and DFS provided no further guidance.
To provide input, please contact Joel Kopperud, SVP of Government Affairs.