Our Take: financial services regulatory update – November 3, 2023

On November 1st, the New York Department of Financial Services (NYDFS) adopted amendments to its Part 500 cybersecurity requirements, marking the first changes to the requirements since 2017. The final amendments follow revisions in June 2023 and November 2022 after the initial proposal in July 2022. They are largely consistent with the revised June proposal, retaining focus on governance and compliance in addition to core cyber defense capabilities:

• Strict requirements for larger companies, including affiliates. The final amendments cement stricter requirements for a new category of “Class A companies,” defined as firms with 2,000 employees or an average of $1b in gross annual revenues over the past three years. Both definitions include “affiliates,” or firms with common ownership that share information systems, cyber resources or any part of a cybersecurity program with the NYDFS-supervised institutions. Class A companies will be required to (1) undergo an independent audit based on risk assessments of their cybersecurity programs; (2) implement an access management password solution and controls to prevent the usage of common passwords for privileged accounts; and (3) implement an endpoint detection and response system to monitor for anomalous activity and generate alerts.
• Executive certification and reporting effective for 2023. The final amendments retain the requirement for the CISO and highest-ranking executive (usually the CEO) to certify for “material compliance.” According to the final implementation timeline, certification will be due by April 15, 2024 for calendar year 2023. CISOs will also need to start reporting to the Board at least annually on material cybersecurity issues and plans for remediating inadequacies in the cyber program. However, there is still no definition for “material,” and therefore firms must establish their own criteria for materiality. If firms can not comply, they must file a written statement of explanation with supporting documentation.
• Audits linked to risk assessments starting April 2024. The final rule requires Class A companies to execute independent audits, based on the risk assessment, rather than on an annual basis.  These can be conducted by internal or external parties, as long as they are conducted by “auditors free to make decisions not influenced by the covered entity being audited or by its owners, managers or employees.” The independent audit requirement becomes effective April 29, 2024.
• New notification requirements starting in 30 days. Under the original draft, firms would be required to notify NYDFS within 72 hours of any cybersecurity event in which an unauthorized user has gained access to a privileged account or in which ransomware has been deployed within a material part of the firm’s systems. The final amendments only require reporting for cyber incidents that have a material likelihood of harming the firm’s normal operations, or where the deployment of ransomware is involved. Firms must notify even if the incident occurs at an affiliate or third party if the firm itself is impacted. In addition, the final amendments require notification of any ransomware payment within 24 hours and creates a continuing obligation to provide updates to the regulator as these become available.
• Net new technology and resiliency requirements. The original amendments would expand current expectations around incident response plans to require that they incorporate the possibility of ransomware incidents. Firms would also be required to implement business continuity and disaster recovery (BCDR) plans that are reasonably designed to ensure the availability and functionality of the covered entity’s services. The final amendments specify that NYDFS would expect firms to test plans at least annually with all applicable staff, including senior management, and conduct routine training of key stakeholders.
• Final transition periods between six months and two years. The most challenging technical requirements take effect after the following transition periods: 180 days for most policy-level changes, with (1) one year for data encryption and incident response plan requirements, as well as CISO and senior governing body requirements, (2) 18 months for access management and malicious code requirements; and (3) two years for multi-factor authentication and asset inventory requirements.

Our Take

After a long period of consideration and revision, the countdown is on for concrete requirements such as CEO and CISO certification of material compliance by April 15th, 2024. Firms may have already been preparing for compliance based on the proposed amendments but should now ramp up their efforts, including budgeting for the changes that will have a heavier operational and technological lift. For example, meeting the asset inventory requirement will be a significant undertaking for many firms even though they have until late 2025 to complete it. In addition, the requirement to include end of life management in policy and service support expiration will force conversations around technology upgrades, which will require budget. Enhancing and testing incident response and BCDR plans with all applicable staff will also take careful thought, time and training. Although NYDFS is now forcing the hand of its supervised institutions, many of the final requirements represent industry leading practices, such as the thorough maintenance of asset inventories, MFA, encryption, BCDR testing including backups, which help to protect both financial institutions and their customers.

While the independent audit requirement has seen significant revision, it remains a powerful check on the cybersecurity program as a whole. NYDFS explained the revision to a more flexible, risk-based approach in light of its understanding that Class A companies typically conduct multiple cybersecurity audits each year. Accordingly, even though it is not stated as an annual requirement, it will effectively remain so due to the annual risk assessment and because the independent audit is a regulatory requirement, it will be a necessary artifact to demonstrate compliance. With certification now including domains outside the typical CISO responsibility, such as asset inventories and continuity testing, an independent audit that includes them will be important in supporting both CISO and CEO certification. It will be necessary to align CISO, technology, and resiliency organizations with independent audit around capability requirements, control design and execution expectations and what constitutes evidence sufficient to support certification.

For publicly listed financial services firms subject to the SEC’s recent cybersecurity disclosure rule, published in July and effective as of September, the NYDFS requirements will pose coordination challenges. Both require incident reporting, but the scope and materiality definitions may differ. For example,the DFS rule applies to the covered entity, which may be one of several subsidiaries of a parent company subject to the SEC rule. However, there are also synergies, such as the mutual emphasis on Board oversight, raising the stakes for Board members to increase their education around the cybersecurity threat environment in order to effectively challenge management.

For more information, see New York pushes stricter cyber requirements: 6 things you need to know now.

These notable developments hit our radar this week:

• FSOC adopts stability risk framework and designation guidance. On November 3rd, the Financial Stability Oversight Council (FSOC) approved final versions of a new analytic framework for financial stability risks and updated guidance on the nonbank financial company (NBFI) determinations process. The analytic framework describes the FSOC’s approach for identifying, assessing and addressing potential risks to financial stability. It also describes the range of responses the FSOC may take depending on the nature of the identified risk: coordinating with regulatory agencies, providing recommendations to regulators or Congress, designating payment, clearing, and settlement activities that are, or are likely to become, systemically important. and designating NBFIs for Fed supervision and regulation. The NBFI guidance describes a two stage process for reviewing an NBFI for designation that includes formal notification, requests for information, and the opportunity for the NBFI to request a hearing if designation is proposed. The guidance further describes annual reevaluations of designations and the process for rescinding a designation if the company mitigates the identified risks. Both are effective 60 days after publication in the federal register.
• DOL revives fiduciary rule. On October 31st, the Department of Labor (DOL) proposed a new rule to update the definition of an “investment advice fiduciary” under the Employee Retirement Income Security Act (ERISA). The DOL had previously enacted a fiduciary rule in 2016 that was vacated in 2018. The new proposal seeks to fill gaps in the SEC’s Regulation Best Interest, which sets conduct standards advice concerning securities and funds, by extending fiduciary requirements to commodities, fixed index annuities, and 401(k) rollovers.
• SEC finalizes new swap execution facility rules. On November 2nd, the SEC finalized new rules which set up a registration and regulation process for trading platforms and provide clarity on how they should execute trades. The rules also address conflicts of interest of security-based swap execution facilities (SBSEFs) and national securities exchanges that trade security-based swaps (SBS). The rules will go into effect 60 days after being published in the Federal Register.
• GOA makes a decision on SEC crypto guidance. On October 31st, the Government Accountability Office (GAO) made a decision that the SEC issued guidance (from March 2022) on how covered entities should account for and disclose their custodial obligations to safeguard cryptoassets held for their platform users is a “rule” and therefore must be submitted to Congress for review. Under the Congressional Review Act (CRA) before a rule can take effect, an agency must submit a report on the rule to both Congress as well as the Comptroller General for review which the SEC did not do as it was released as a “Staff Accounting Bulletin” (SAB) which is more interpretive guidance and not a rule. However, many, including SEC Commissioner Hester Peirce questioned the manner in which the change was made which resulted in this GAO investigation.
• Treasury’s FIO starts data collection to assess climate related financial risks to consumers. On November 1st, the Treasury’s Federal Insurance Office (FIO) took its first critical step to proceed with data collection from insurers to assess climate-related financial risk to consumers. This data is particularly important given recent insurer pullbacks and significant premium increases in several states. FIO’s data collection will obtain previously unavailable insurance data at a zip code level from the largest homeowners insurance providers that collectively underwrite around 70% of homeowners insurance premiums nationwide.
• CFPB issues report on state CRA laws. On November 2nd, the CFPB published a new analysis on state Community Reinvestment Act (CRA) laws. The report examined the laws of seven states (Connecticut, Illinois, Massachusetts, New York, Rhode Island, Washington, West Virginia) and the District of Columbia, and found that many of those states adopted laws similar to the federal CRA law. While the federal CRA law applies strictly to banks, state reinvestment laws can apply to a wide range of financial institutions, including nonbank mortgage companies.