October Cybersecurity Awareness Month Closes Out With Notable Changes in U.S. Regulation: New FTC Safeguards and NYDFS Cybersecurity Requirements Revealed

The cybersecurity world is ablaze as recent developments demonstrate an increased expectation of accountability and competence in the space. This trend is unsurprising given high-profile cyber-attacks coupled with advances in artificial intelligence (AI).  In fact, days after releasing the Administration’s Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence, Vice President Kamala Harris opined that AI could enable cyber-attacks “at scale beyond anything we have ever seen.[1]” From the White House to The Big Apple, government authorities are seeking to address looming cyber risks by re-evaluating—and expanding—their existing legal frameworks and are becoming increasingly vigorous in enforcement.

Notable developments, in late October alone, include the Securities and Exchange Commission’s (SEC) action against a software company and its Chief Information Security Officer (CISO), the Federal Trade Commission’s (FTC) updated Safeguards Rule, and the New York Department of Financial Services’ (NYDFS) amended Part 500 Cybersecurity Regulation.

  • SEC Enforcement and Personal Liability: On the heels of finalizing its landmark cybersecurity disclosure rules, on October 30, 2023, the SEC filed a complaint against a software company—and notably, its CISO—for failure to disclose allegedly known cybersecurity risks and vulnerabilities. The SEC’s complaint focuses on alleged misleading statements and omissions made in public disclosures and alleges, in essence, that the company and CISO represented its cybersecurity practices were stronger than they were and therefore misled shareholders.  The alleged misrepresentations eventually came to light following a prolific cyber-attack in 2020, though, notably, the SEC made clear the alleged violations existed regardless of the cyber-attack. Importantly, the SEC named not only the company but also its CISO in the complaint, citing internal communications and presentations as well as public-facing representations on the website and marketing materials purportedly made or approved by the CISO that contradicted statements in SEC filings. The move is significant in seeking to charge personal liability for alleged cybersecurity failures—perpetuating a recent trend in cybersecurity U.S. regulation.
  • FTC Safeguards Rule: This increased emphasis on cybersecurity has resulted in revamping existing federal frameworks. For example, the FTC announced a new amendment to its Safeguards Rule that would increase cybersecurity reporting obligations for certain non-banking financial institutions.[2] In October 2021, the FTC announced it had finalized changes to the Safeguards Rule to strengthen the data security safeguards that financial institutions are required to put in place to protect their customers’ financial information. On October 27, 2023, the FTC further amended the rule effective 180 days after publication (April 24, 2024).  The amendment requires subject entities to provide notice to the FTC if unencrypted customer information is acquired without the authorization—adding to the vast array of existing state and federal breach notification requirements. The notification must be made as soon as possible, but no more than 30 days after the discovery of a security breach involving 500 or more consumers. In addition, the notice must include the information impacted, anticipated notification date, and number of consumers affected.
  • NYDFS Part 500: Even states are following suit. NYDFS recently amended its Part 500 cybersecurity regulation, originally enacted  in 2017, that articulates cybersecurity requirements for certain insurance and financial services companies. The amended Part 500 regulation, effective as of November, 1, 2023, was adjusted in an effort to keep pace with the emerging threats in the cybersecurity landscape. Covered entities have 180 days (until April 29, 2024) to comply with the amendment, with certain exceptions. The amendment includes penalties for violations and articulates various considerations when imposing such penalties.[3]

Prior to the amendment, the requirements applied uniformly to regulated entities, subject to the entity’s risk assessment. The new regulation, however, distinguishes “Class A” companies by imposing more stringent requirements consistent with their revenue and resources, such as independent audits of its cybersecurity programs.[4] The changes also expand the scope of incidents that may trigger notification, place additional requirements on the oversight of cybersecurity risk management, and require additional policies, procedures, and security testing. For example, the amendment requires the CISO of an organization to report material cyber security issues to the senior governing body (often a board of directors) and maintain an effective cybersecurity program. The cybersecurity program includes revised policy requirements including data mapping, implementing technical controls against malware, business continuity management, and conducting training.

There are also new technical requirements including implementation of access control mechanisms and a more stringent requirement for multi-factor authentication for all users (with limited exceptions). In addition, the existing requirement for annual penetration testing now must be conducted by a qualified party, and organizations also must now conduct annual scans of information systems and bi-annual vulnerability assessments. The amended regulation also requires entities to remediate vulnerabilities consistent with the level of risk they pose.

The amendment also addresses ransom payments explicitly.  For example, subject companies will now be required to notify NYDFS within 24 hours of making an extortion payment. The organization must follow up with a more detailed explanation within 30 days of the payment, including a description of why the payment was necessary and diligence regarding Office of Foreign Assets Control (OFAC).

October proved to be a very active month in cyber regulation, and it appears there is only more to come. While it may seem challenging to keep pace with the ever-changing legislative patchwork, investing the time in understanding and actioning these requirements prior to a cyber crisis is critical to minimizing risk and impact. Companies should continually assess their compliance and security posture against the evolving legal framework. As with all things cyber, a proactive approach can significantly minimize liability in the long-run.

[1] Kamala Harris to call for urgent action on AI threat to democracy and privacy | Artificial intelligence (AI) | The Guardian
[2] The FTC’s Safeguards Rule requires non-banking financial institutions, such as mortgage brokers, motor vehicle dealers, and payday lenders, to develop, implement, and maintain a comprehensive security program to keep their customers’ information safe.
[3] According to NYDFS’s guidance, “the amended regulation’s new compliance requirements will take effect in phases. Unless otherwise specified, covered entities have 180 days from date of adoption to come into compliance, or until April 29, 2024. Changes to reporting requirements take effect one month after publication of the amended regulation, or December 1, 2023. For certain other requirements, the regulation provides for up to one year, 18 months, or two years to come into compliance.”
[4] A Class A company is a covered entity with at least $20,000,000 in gross annual revenue in each of the last two fiscal years from all business operations of the covered entity and the business operations in this State of the covered entity’s affiliates and (1) over 2,000 employees averaged over the last two fiscal years, including employees of both the covered entity and all of its affiliates no matter where located; or (2) over $1,000,000,000 in gross annual revenue in each of the last two fiscal years from all business operations of the covered entity and all of its affiliates no matter where located.