This is the fifth post in a series of blog posts that analyze certain major proposed changes in the New York Department of Financial Services (“NYDFS”) Cybersecurity Regulation. If you missed them, our other posts – covering changes to risk assessments, policies and procedures, the role of the CISO, and board level impacts – are here, here, here and here.

A new definition. The proposed regulation redefines large or “Class A” companies under section 500.1(c) as: companies with over 2,000 employees (which includes affiliates and without regard to location) or companies with one billion in annual gross revenue (which includes affiliates and without regard to location) in each of the past two years.

Five new obligations for large companies. In addition to obligations concerning risk assessment covered in our first post that apply generally to all companies, Class A companies have five additional, more robust obligations, including:

• conducting an annual independent audit (500.2(c));
• conducting systemic scans or reviews of a company’s information systems at least weekly (500.5(a)(2));
• monitoring privileged access activity and adopting secure access controls (500.7(b));
• using external experts to conduct a risk assessment at least once every three years (500.9(d)); and
• using secure controls or tools including an endpoint detection and response solution to monitor anomalous activity, and a solution that centralizes logging and security event alerting (500.14(b)).

The most significant change: an annual independent audit. In our opinion, of the above, the most impactful proposed change is the requirement of an annual independent audit.

Class A companies may consider a “System and Organizational Controls” (“SOC2®”) audit -- since it is the closest audit to the Cybersecurity Regulation’s requirements, and some companies already have performed a SOC2® audit, at least on certain operations. (CPAs perform SOC2®) audits for organizations to provide information about controls relevant to security, availability, processing integrity, confidentiality, or privacy.) Class A companies will have 180 days from the date that the updated Cybersecurity Regulations come into effect to be in compliance (or a different transition period for certain sections, including sections 500.7(b) and 500.14(b), which both provide one year periods for compliance). Non-exempt companies have only 120 days after becoming non-exempt. However, a SOC2® takes a year to complete, and during that year the controls must be tested for at least six months. For a large company, this will be an expensive process.

SOC2® audits do not automatically cover the full scope of, and particular controls required by, the NYDFS Regulation. If a company chooses to go with a SOC2® audit, the company must consider whether the scope of the audit covers the Cybersecurity Regulation, including the particular technical requirements and the enhanced information security and business continuity based on the company’s business description.  Additionally, the third party management requirement in the NYDFS Regulation has requirements that are not normally reviewed and tested in a SOC2®.  Auditors will have to learn much more about the NYDFS’ Cybersecurity Regulation, and work with large covered entities to adjust the audit to meet these requirements.

If you have any questions about how the revised NYDFS Regulation impacts large companies, or questions about other privacy and data security issues, contact Rick Borden at (212) 705-4884 or rborden@fkks.com, Daniel Goldberg at (310) 579-9616 or dgoldberg@fkks.com, Saphya Council at (212) 826-5575 or scouncil@fkks.com, or any other member of the Frankfurt Kurnit Privacy & Data Security Group.