This is the first in a series of blog posts analyzing proposed changes in the New York Department of Financial Services ("NYDFS") Cybersecurity Regulation announced on November 9, 2022 and expected to take effect in 2023. (Our post introducing the series is here.)
We begin with a proposed new definition of "risk assessment" that will require information security consultants to redesign the entire risk assessment process. Risk assessment is at the core of the Regulation. The primary obligation on entities to perform risk assessments is found in section 500.2 of the Regulation:
"(a) Each covered entity shall maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of the covered entity's information systems and nonpublic information stored on those information systems.
(b) The cybersecurity program shall be based on the covered entity's risk assessment..."
The "based on the risk assessment" language is also found in sections 500.2, 3, 5, 6, 7, 9, 11, 12, and 14 (Note: section 500.14 uses "reflect" instead of "based"). Interestingly, section 500.15 (Encryption) removes "based on its risk assessment" and substitutes "that meets industry standards." The risk assessment requirement was added after NYDFS drafted the initial regulation based on comments that the original draft was not "risk-based." This was helpful, but as you will see, it also complicates compliance.
A new definition of "risk assessment". The existing risk assessment definition had no details about what was required to be included, except in the broadest terms. The proposed new definition of a risk assessment is:
Risk assessment means the [risk assessment that each covered entity is required to conduct under section 500.9 of this Part] process of identifying cybersecurity risks to organizational operations (including mission, functions, image and reputation), organizational assets, individuals, customers, consumers, other organizations and critical infrastructure resulting from the operation of an information system. Risk assessments shall take into account the specific circumstances of the covered entity, including but not limited to its size, staffing, governance, businesses, services, products, operations, customers, counterparties, service providers, vendors, other relations and their locations, as well as the geographies and locations of its operations and business relations. Risk assessments incorporate threat and vulnerability analyses, and consider mitigations provided by security controls planned or in place.
Most information security consultants conduct risk assessments based on existing standards or frameworks, such as the SANS Top 20 (now 18), the NIST Cybersecurity Framework, ISO 2700 or NIST 800-53 rev. 5. Usually, they include the concept of the maturity of the company in a number of defined areas based on a maturity model. These types of risk assessments are designed for cybersecurity defense. However, the proposed NYDFS definition will require information security consultants to redesign their risk assessments based on a subjective list of factors specifically tailored to the company. This will not be easy, as this will cause the baseline risk assessment to be more expensive and take longer. Lawyers will need to review the scope of work for the risk assessment to make sure it will meet the regulatory requirements. This all adds cost and complexity to the risk assessment process.
Once the risk assessment is done, the policies, procedures and company operations need to reflect the findings. Once again, lawyers need to be involved in the translation from the findings to the revisions to policies and procedures. This will add to the overall cost and timeline to complete the reviews and updates to the policies and procedures. The entire program will need to be reevaluated solely based on the revised definition.
Additionally, NYDFS is requiring (in section 500.9) that the risk assessment be updated at least annually. And, Class A companies – generally, companies, who together with affiliates, have $20MM of revenue in NY, and either 2,000 employees and contractors, or revenues over $1bn in each of the prior two years – will be required to have third parties conduct the risk assessment at least once every three years.
SOC2 audits may not be enough. For readers that have external auditors conduct SOC2 audits, and think that SOC2 audits will satisfy requirements, be aware that the Trust Services Principles do not line up exactly with the NYDFS' risk assessment definition. Class A companies who will be required to obtain a third party audit should start talking with their auditors now. Companies may look to NIST SP 800-30 (Guide for Conducting Risk Assessments), but this too does not directly link to the NYDFS requirements.
Current enforcement. The reason all of this is of critical importance is that NYDFS has recently started enforcing the risk assessment requirement in a different, more troubling way. In their Consent Order with EyeMed, NYDFS found that a failure to assess a component of the EyeMed system (a mailbox that was the cause of a data breach, and the subsequent regulatory failures), caused their risk assessment to not be "adequate" and therefore, the cybersecurity program could not be designed based on the risk assessment. EyeMed ended up with a $4.5MM fine. That was before the proposed changes.
Almost every breach results from a control failure. If the failure is not identified in the risk assessment, the risk assessment may not be "adequate." This places significantly more pressure on organizations to conduct highly effective risk assessments, and to clearly document risk mitigation and acceptance. This is going to be a long and difficult road for covered entities under the Regulation.
This alert provides general coverage of its subject area. We provide it with the understanding that Frankfurt Kurnit Klein & Selz is not engaged herein in rendering legal advice, and shall not be liable for any damages resulting from any error, inaccuracy, or omission. Our attorneys practice law only in jurisdictions in which they are properly authorized to do so. We do not seek to represent clients in other jurisdictions.