The New York State Department of Financial Services has amended its cybersecurity regulations to enhance cyber governance, mitigate risks, and protect New York businesses and consumers from cyber threats. The amended regulations build on the impact of the original cybersecurity regulations, which established the framework that is now modeled by both federal and state financial regulators to protect against cyber threats. A copy of the final adopted regulations is available on the DFS website.
The new rules strengthen the Department of Financial Services (DFS) risk-based approach to ensure that cybersecurity is integrated into regulated entities’ business planning, decision-making, and ongoing risk management. Key changes in the regulations include:
- Enhanced governance requirements;
- Additional controls to prevent initial unauthorized access to information systems and to prevent or mitigate the spread of an attack;
- Requirements for more regular risk and vulnerability assessments, as well as more robust incident response, business continuity, and disaster recovery planning;
- Updated notification requirements including a new requirement to report ransomware payments; and
- Updated direction for companies to invest in at least annual training and cybersecurity awareness programs that anticipate social engineering attacks and that are otherwise relevant to their business model and personnel.
As part of its data-driven approach to cybersecurity, DFS conducted significant outreach through cyber symposiums and conferences and dialogue with state, federal and international regulators, industry, and other experts in the field of cybersecurity. The adopted amendment holds DFS-regulated businesses and licensed entities accountable for implementing cybersecurity protections, and ensuring they maintain cyber defenses appropriate to their size, nature of business, and the type of data maintained, among other relevant considerations while continuing to foster growth of New York’s financial services industry.
“New York has always led the way in protecting businesses and consumers from online threats, and with these amendments to our nation-leading cybersecurity regulations, we are continuing to set the national standard,” Governor Hochul said. “On the heels of launching the State’s first-ever cybersecurity strategy, boosting state law enforcement’s cyber capabilities, and signing landmark legislation to protect our energy grid from cyberattacks, my administration is doubling down on our commitment to ensuring that financial institutions have the safeguards in place to protect vital customer data and maintain the integrity of our financial system.”
New York State Superintendent of Financial Services Adrienne A. Harris said, “This regulation continues the Department’s transformative, data-driven approach to cybersecurity oversight. Cyberattacks are on the rise, and the updates require the financial services industry to institute stronger standards and controls to secure sensitive data. Expanded use of proven protections such as multifactor authentication will be required while maintaining the risk-based flexibility of the landmark cybersecurity regulations.”