August 14, 2023

Submitted via email: [email protected]

New York State Department of Financial Services
1 State Street
New York, NY 10004

Re: Cybersecurity Requirements for Financial Services Companies (June 28, 2023)

Dear Sir or Madam,

The Securities Industry and Financial Markets Association (“SIFMA”)1 and the Bank Policy Institute (“BPI”)2 (together, “the Associations”) appreciate the opportunity to comment on the New York Department of Financial Services’ (“NYDFS” or the “Department”) Revised Proposed Second Amendment to 23 NYCRR 500 (“Revised Amendment”).

The Associations thank the Department for its responsiveness to the previous comment period. The Associations welcome many of the changes in the Revised Amendment, particularly amending the definitions of “Class A Companies” and “Independent Audit,” narrowing the scope of business continuity and disaster recovery (“BCDR”) plans to the covered entity’s information systems and material services, and amending governance requirements around cybersecurity expertise.

These changes represent clear progress toward creating a risk-based regulatory framework that can ensure and improve the safety and resiliency of the New York financial services industry’s digital infrastructure. However, the Associations believe there are additional areas where the Revised Amendment can be further enhanced. We respectfully offer the following recommendations for further revision.

Executive Summary

The recommendations and considerations discussed at greater length below include, among others, the following:

• MFA Requirements: The Associations are concerned that the Revised Amendment now states that multi-factor authentication (“MFA”) must “be utilized for any individual accessing any of the covered entity’s information systems.” Section 500.12(a). It is unclear whether these new MFA requirements would encompass employees who are accessing routine parts of the company network while using a computer at the office. The Associations understand that employees using a physical office keycard or ID badge to enter their office would be providing a possession factor that, when paired with a knowledge or inherence factor, would satisfy the MFA requirements. Similarly, the Associations understand that, for employees that access information systems on their mobile devices, when such access involves mobile device management software or other possession tokens, along with password requirements, that would satisfy the MFA requirements. If NYDFS does not share the Associations’ understanding of possession factors, the Department should reconsider this approach and revert to the language in the previous draft of the Second Amendment, or, at a minimum, consider reinserting language to allow entities to implement MFA using a risk-based approach. The Associations also urge the Department to clarify that MFA requirements do not apply to customers accessing their own information. If robust MFA requirements were required for customer use, that would impose significant burdens on customers without meaningful additional cybersecurity for the individual or the covered entity.
• Frequency of Certain Requirements: The Associations note that, in addition to the annual risk assessment, covered entities have annual assessment requirements for the independent audit, policy and procedure review, penetration testing, user access privilege review, application security development review, testing of incident response plans and business continuity and disaster recovery plans with senior officers and the CEO, and the ability to restore critical data and information systems from backups. The Associations urge the Department to consider retaining the annual risk assessment while removing the annual cadence for other assessment requirements and instead allow companies to fulfill these requirements periodically, consistent with risks identified in the annual risk assessment, but at least once every three years.
• Approval of Cyber Policies: The Associations understand that NYDFS elected not to remove the requirement that governing bodies approve their covered entity’s cybersecurity policy to ensure that boards are aware of cybersecurity risks. The Associations agree with the Department that boards must be aware of cybersecurity risk, but do not believe that approving cybersecurity policies is the best or only way to achieve that objective. Instead, management should develop, approve, and implement the cybersecurity policies, and boards, or appropriate board committees, should be aware of those policies in order to effectively carry out their oversight obligations. Doing so would align Part 500 with other regulatory regimes like the Gramm-Leach-Bliley Act.
• CISO Responsibilities: The Associations are concerned that the requirements under the new definition for Chief Information Security Officers (“CISO”) in Section 500.1(c) could misplace responsibility for potential failures to direct sufficient resources to cybersecurity. The Associations urge the Department to remove the language that requires CISOs to have adequate authority to direct sufficient resources to implement and maintain an effective cybersecurity program or make clear that this responsibility rests with management and not the CISO.
• Notification of Cybersecurity Events: As currently drafted, the Revised Amendment has three notification triggers for cyber events that depend on impact to the covered entity. The Associations urge NYDFS to clarify that the notification trigger for unauthorized access to a privileged account also requires an impact to the covered entity and that the unauthorized access involves a privileged account associated with a material part of the covered entity’s information system. Additionally, the Associations urge the Department to clarify that covered entities are only required to notify under Section 500.17(a)(1)(i) when notice is required to be provided by the covered entity to any government body, self-regulatory agency, or any other supervisory body. Finally, the Associations urge the Department to adjust the continuing obligation in Section 500.17(a)(2) such that it only applies to updates on material changes or additions to information previously provided.
• Notification of Compliance: The Associations welcome the addition of a materiality threshold for certifying compliance in Section 500.17(b)(1)(i) and urge NYDFS to adopt the same threshold for the documentation requirements for certifications and for the acknowledgment of noncompliance. The Associations also welcome NYDFS removing the requirement that covered entities that submit a written acknowledgement of noncompliance include the areas that required material improvement. For the same reasons, the Associations urge NYDFS to also eliminate the requirement that covered entities submit a written acknowledgment describing the nature and extent of their noncompliance. Finally, the Associations urge the Department to reconsider requiring CEOs to certify compliance under Section 500.17(b)(2), as CEOs are often not deeply involved in overseeing cybersecurity and instead delegate that responsibility to another member of senior management who would be better positioned to certify along with the CISO.
• Privileged Access Requirements: The Associations urge the Department to make the requirement for a Class A company to monitor privileged access activity based upon the company’s risk assessment. The Associations also urge the Department to clarify that the requirement for Class A companies to implement an automated method of blocking commonly used passwords applies to all privileged accounts and not to all accounts. Alternatively, the Associations urge the Department to consider replacing the requirement for an automated method of blocking commonly used passwords with a requirement for covered entities to configure password complexity (i.e., letter, number, special character), limits on invalid login attempts before an account is locked, minimum password length, and configuration of password history.

 

1 The Securities Industry and Financial Markets Association (“SIFMA”) is the leading trade association for broker-dealers, investment banks, and asset managers operating in the U.S. and global capital markets. On behalf of our industry’s one million employees, we advocate on legislation, regulation and business policy affecting retail and institutional investors, equity and fixed income markets and related products and services. We serve as an industry coordinating body to promote fair and orderly markets, informed regulatory compliance, and efficient market operations and resiliency. We also provide a forum for industry policy and professional development. SIFMA, with offices in New York and Washington, D.C., is the U.S. regional member of the Global Financial Markets Association (“GFMA”). For more information, visit http://www.sifma.org.

2 BPI is a nonpartisan group representing the nation’s leading banks. BPI members include universal banks, regional banks, and the major foreign banks doing business in the United States. Collectively, BPI members hold $10.7 trillion in deposits in the United States; make 68% of all loans, including trillions of dollars in funding for small businesses and household mortgages, credit cards, and auto loans; employ nearly two million Americans; and serve as a principal engine for the nation’s financial innovation and economic growth. Business, Innovation, Technology and Security (“BITS”), BPI’s technology policy division, provides an executive-level forum to discuss and promote current and emerging technology, foster innovation, reduce fraud, and improve cybersecurity and risk management practices for the financial sector.