Five years ago, the New York Department of Financial Services new Cybersecurity Regulation went into effect. The NYDFS Cybersecurity regulations were a big development because, at the time, it was the first comprehensive regulation of its kind in the United States.
New York is the first state in the nation to successfully pass and implement a statewide Cybersecurity Regulation. The regulation was designed to protect New Yorkers—and consumers in general—from the growing threat of cyberattacks and help safeguard organizations operating in the financial services industry from data breaches.
Recently, at the end of July 2022, the NYDFS released draft amendments to Part 500 of the 23 NYCRR also known as the ‘Cybersecurity Regulation’.
Related article: the Development of the New York State DFS Cybersecurity Regulation.
What Changes Are Expected to the NYDFS Cybersecurity Regulations?
The new regulations would compel financial firms to:
- Notify the NYDFS of any illegal access to privileged information or the discovery of ransomware affecting a significant portion of its information system within 72 hours;
- Update its cybersecurity and update risk assessment policy and present updates to its board of directors or senior governing body at least once every year
- Require the board to exert adequate control over cyber risk and its cybersecurity staff, or to get advice from outside experts with the necessary skills and knowledge;
- Utilize multi-factor authentication for all privileged accounts and remote access to non-public information. Assure that the organization’s chief information security officer, or CISO, has enough independence and risk management authority.
How Does this Effect Companies Subject to NYDFS Cybersecurity Regulations?
The NYDFS Cybersecurity Regulations still apply to all types of credit unions, health insurers, investment companies, licensed vendors, life insurance companies, mortage brokers, savings and loan associations, private bankers, offices of foreign banks, and commercial banks operating in the state of New York. These financial institutions are likely already required to comply with regulations such as PCI DSS or SANS CSC 20.
Financial institutions subject to NYDFS cybersecurity regulations should make an effort to stay updated on the proposed changes. If adopted, these changes would mark a significant increase in targeted compliance measures for covered entities. In the meantime, as we await a final decision regarding the proposed update, businesses should start assessing how well their cybersecurity programs adhere to the new requirements. If, and when, the changes go into effect, they will have 180 days to make sure they are in compliance with the new standards.
Find out more about AWA’s comprehensive NYDFS Cybersecurity Compliance services.