SHARE

August 12, 2022

NYDFS Announces Draft Amendments to Cybersecurity Regulation

You've Reached Your
Free Article Limit This Month
Register for free to get unlimited access to all Law.com OnPractice content.
Register Now

Key Takeaways

  • The Amendments, if adopted, would further regulatory trends and impose important new requirements on covered entities.

On July 29, 2022, the New York Department of Financial Services ("NYDFS") released Draft Amendments to its Cyber Security Regulations.  The Amendments, if adopted, would further regulatory trends and impose important new requirements on covered entities.

The Amendments contain three significant changes relating to ransomware.  First, the Amendment specifically adds "the deployment of ransomware within a material part of the covered entity's information system" as a cybersecurity event requiring notice to the superintendent within 72 hours.  Under the current regulations, 72-hour notice would only be required if the ransomware required notice to another governmental body or had a reasonable likelihood of materially harming any material part of normal operations.  Second, the Amendment would also require covered entities to notify the superintendent within 24 hours of making an extortion payment.  And finally, the Amendment would require covered entities to provide within 30 days a written description of the reasons payment was necessary, a description of alternatives to payment considered, all diligence performed to find alternatives to payment, and all diligence performed to ensure compliance with applicable rules and regulations including those of the Office of Foreign Assets Control.  If passed, this third component would represent a significant new obligation for covered entities, potentially changing the manner in which companies document ransomware responses.

In addition to the ransomware changes, the Amendments would also require, among other things: (1) multi-factor authentication for all privileged accounts, as well as for remote access to the network and enterprise and third-party applications from which nonpublic information is accessible; (2) increased expectations for board expertise; (3) significant restrictions on privileged accounts; and (4) annual independent cybersecurity audits for larger entities.  The Amendments have a short comment period ending on August 8, 2022, followed by the publishing of the official proposed amendments, after which a 60-day comment period will occur.

Given the comment periods that will occur, it is premature to speculate as to the final form of the Amendments.  However, based on the draft Amendments, it is safe to say that the NYDFS seems to be following the trend towards increased regulatory scrutiny.  Covered entities should start assessing how significant the changes would be to comply.

ALM expressly disclaims any express or implied warranty regarding the OnPractice Content, including any implied warranty that the OnPractice Content is accurate, has been corrected or is otherwise free from errors.

More From Ballard Spahr

New York Restricts Automated Decision Making in Employment

By Timothy Dickens Ballard Spahr August 29 , 2022

Businesses operating in New York City should be aware of a local law addressing the use of automated employment screening and decision-making tools coming into effect on January 1, 2023.

Status Update: Federal Contractor Vaccine Mandate Injunction Narrowed

By Lila A. Sevener Ballard Spahr August 29 , 2022

On August 26, 2022, the United States Court of Appeals for the Eleventh Circuit narrowed the nationwide injunction of Executive Order 14042, which requires federal contractors and employees who work on or in connection with a covered federal contract, or share a workplace with another employee who works on or in connection with such contracts, to be fully vaccinated against COVID-19.

Unions Cannot Force OSHA to Issue Permanent COVID Standard

By Shannon D. Farmer Ballard Spahr August 26 , 2022

On August 26, 2022, the U.S. Court of Appeals for the District of Columbia Circuit turned back efforts by a group of unions seeking to force the Occupational Safety and Health Administration (OSHA) to quickly issue a permanent rule establishing protections for healthcare workers from COVID-19.

More From Consumer Protection

Thinking DAOs Are Enforcement-Proof? Think Twice

By Chih-Hsun (Tim) Lin Ingram Yuzek Gainen Carroll & Bertolotti October 18 , 2022

With a recent action brought against Ooki DAO by the U.S. Commodity and Futures Trading Commission (the “CFTC”), we have the opportunity to see some of the uncertainties raised in our previous posts answered.

Secondary Meaning: Consumers Connect Product with Single Anonymous Source

By Cecilia Choy, Ph.D. McDermott Will & Emery September 08 , 2022

Reversing and remanding a district court’s grant of summary judgment in favor of an accused trade dress infringer, the US Court of Appeals for the Ninth Circuit explained that trade dress does not need to be linked to a particular company.

CFPB to hold Sept. 8 field hearing on nursing home debt collection practices

By John L. Culhane, Jr. Ballard Spahr August 25 , 2022

The CFPB has announced that on September 8, 2022, it will hold a field hearing on nursing home debt collection practices

Featured Stories
Closeclose
Search
Menu

Working...