Jump to
Assessment of public comments on the proposed amendment
On June 28, 2023, the New York Department of Financial Services (NYS DFS) published an Assessment of Public Comments it received on the initial draft of the proposed amendment to the Cybersecurity Regulation.
This document provides interesting insights into the thought process of covered entities and NYS DFS as they work toward finalizing the second amendment. NYS DFS spent six months reviewing public comments and its assessment document was over 90 pages long. WithSecure reviewed the document in detail and is pleased to offer some summary observations for those interested in understanding the latest developments in the evolution of the cybersecurity regulation.
Overall, NYS DFS assessed a total of 150 comments, many of which reflected thematically similar comments which were bundled together. As a result of this assessment, NYS DFS revised the proposed draft in response to 32 of the comments, declined to make changes on 109 comments, and deemed nine comments to be not applicable to the regulation.
Most of the comments requested changes to the regulation, with at least 14 related to reducing the frequency of controls and another 14 comments related to modifying certain definitions. Additionally, 18 comments sought clarification on particular sections or specific requirements. Concerns with the cost, burden and scarcity of cybersecurity resources needed to meet the requirements were raised in at least 36 of the comments, and at least 15 of the comments specifically stated that portions of the regulation were too prescriptive.
While performing our review, WithSecure compiled a list of what we believe to be the most significant points which NYS DFS changed (or declined to change) based on the public comments. Note this list does not include the long shots such as a suggestion that the requirement for Annual Certification of Compliance should be removed because the regulation is too vague for anyone to know for sure. That would have been a notable change indeed, but it did not appear that NYS DFS gave it serious consideration.
Highlights
- Multi-factor Authentication (MFA) – All the changes effectively reduced the impact of the regulation with one exception: NYS DFS changed the applicability of MFA from (1) remote access to covered entity systems, (2) access to third-party applications, and (3) privileged accounts to “any individual accessing any of the covered entity’s information systems”. This change was based on public comments recommending NYS DFS align the MFA requirement with the FTC Safeguards Rules and principles of zero trust. It will be interesting to see if this “MFA everywhere” requirement stands following the second round of public comments submitted on August 14th.
- Independent Audit – NYS DFS updated this definition to include internal auditors where previously it meant only external auditors. This will give covered entities more flexibility to meet this requirement with in-house resources.
- Risk Assessments by External Experts – NYS DFS removed this requirement based on comments that internal personnel have the requisite expertise and better knowledge of the covered entity’s business than external parties. Commenters also cautioned that the requirement would mainly benefit external auditors who could use the risk assessment for sales purposes, undermining its credibility and potentially resulting in biased findings.
- Security Solutions – There were a number of comments related to the new requirements to implement EDR, SIEM and Privileged Access Management solutions at Class A Companies as well controls to monitor and filter web traffic and emails to block malicious content. Commenters argued that these provisions were too prescriptive and mandated the implementation of costly products. NYS DFS declined to change these requirements, noting that the regulation already allows sufficient flexibility and discretion for covered entities to meet these requirements based on their risk assessment.
- BCDR – The scope of the new requirement to maintain business continuity and disaster recovery plans was reduced to ensuring availability in the event of a cybersecurity-related disruption. This change should be helpful for many organizations where the CISO does not have direct responsibility for business continuity management.
- CISO – The new requirement that CISOs must have “adequate authority and sufficient resources to implement and maintain an effective cybersecurity program” drew a lot of comments. Some suggested taking this even further by requiring the board of directors to respond to deficiencies reported by the CISO, having covered entities disclose the CISO’s position in the reporting chain and relationship with the board of directors, and having NYS DFS provide guidance to CISOs on how to report to NYS DFS on excessive risk due to their recommendations not being followed. Others expressed concerns that the requirement for “sufficient resources” could circumvent the budgeting approval process, effectively giving the CISO a blank check. Another commenter suggested replacing the word “authority” with “autonomy”. In response, NYS DFS reiterated the need for CISOs to have adequate authority and resources for their roles but declined to make any changes to the regulation.
- Privileged Accounts – NYS DFS narrowed the definition of “privileged account” by removing the sentence “can be used to affect a material change to the technical or business operations of the covered entity”. This was based on comments that referencing “business operations” made the definition too broad as it could encompass access required by wide range of roles including HR, financial analysts and customer service representatives.
- Vulnerability Management – Several commenters expressed concerns about the requirements to conduct annual penetration testing and perform automated scans of systems, stating that this would be costly, burdensome and potentially disruptive to operations. There were requests to reduce the frequency of testing or limit the scope to sensitive data or external facing systems. NYS DFS declined to make changes, noting that continuous testing is critical due to the constant emergence of new vulnerabilities.
- Asset Inventory – Commenters expressed concerns that maintaining a comprehensive asset inventory would be complex and burdensome, and requested limiting this requirement to high-risk assets. NYS DFS declined citing the importance of a full asset inventory in identifying assets that need protection.
- Remediation Plans – For covered entities submitting acknowledgements of non-compliance, NYS DFS removed the requirement to provide remediation plans and identify all areas, systems and processes that require improvement. Commenters were concerned that such plans, if exposed, could highlight targets for cyberattacks and that submitting a plan to the regulator would restrict flexibility to course correct remediation. Under the revised requirements, covered entities only need to provide remediation plans if the NYS DFS requests them during an examination.
- Security Awareness and Training – NYS DFS removed the requirement that training include social engineering “exercises” which was understood to mean phishing simulations. However, NYS DFS did not agree to requests to decrease the annual training frequency.
- Transitional Periods – NYS DFS extended the deadlines for compliance with: Cybersecurity governance, Encryption of NPI, Incident response and business continuity management, Access management and Multi-Factor Authentication requirements, giving covered entities additional time to implement solutions and remediate any gaps.
- Cybersecurity Events – NYS DFS declined to descope unsuccessful attacks from the requirement for notifications as this information is crucial for the regulator to maintain an understanding of the threat landscape.
- Ransomware Payments – Several commenters raised concerns with the requirement to report ransomware payments and provide justifications. They requested that this provision be removed, or that timeframe for notification be extended. NYS DFS clarified that notification is triggered when the payment is made, not when the attack occurs, but declined to change the requirement.
- Class A Companies – NYS DFS declined multiple requests to change requirements, thresholds or definitions around the new concept of Class A companies.
- Backups – NYS DFS reduced the scope of backups that must be maintained to those necessary to restore “material” operations.
- Passwords – NYS DFS limited the requirement to implement an automated method of blocking commonly used passwords to “systems owned or controlled by a Class A company and wherever feasible for all other accounts” due to concerns expressed with meeting this requirement for third party applications.
- Notifications – Numerous comments were submitted regarding notification requirements. Concerns were raised regarding the reporting timeframes and potential duplication with other regulatory agencies. Others asked for clarification on various terms and the types of incidents that require reporting. In response, NYS DFS provided clarifications and made some modifications to the requirements but did not change any of the timeframes.
- Sensitive Information – Concerns were raised with the security of information shared with NYS DFS and there was a request to allow covered entities to redact sensitive information from responses to RFIs. NYS DFS responded that it takes security very seriously and believes that the protections it has put in place are adequate but cannot disclose specifics. With regard to redactions, NYS DFS indicated that covered entities may raise concerns with examiners and discuss redacting specific information under certain circumstances.
On the flip side, WithSecure observed that not all the comments sought to reduce the scope and impact of the regulation. Commenters recommended introducing additional requirements such as “resilience by design”, escrow solutions, threat hunting, machine-learning-based prevention, “phishing-resistance authentication”, vulnerability disclosure programs, software bill of materials (SBOM), mobile device management (MDM), and Extended detection and response (XDR). NYS DFS declined all these suggestions except for the MFA requirement previously mentioned.
While the above reflects WithSecure’s view of the most important points, the Assessment of Public Comments contains much more detail, with feedback on over 100 sections of the proposed regulation. A second public comment period on the updated regulation closed on August 14, 2023, and NYS DFS is currently in process of reviewing these comments as well. Although NYS DFS has not provided a timeframe to complete this work, based on the previous period it can be expected to conclude by October 2023 and the final regulation could potentially be enacted by the end of 2023. WithSecure will continue to monitor and report on future developments as part of our commitment to support organizations in meeting regulatory and other cybersecurity challenges.