New York Strengthens Cybersecurity Regulations and the Key Updates for Financial Businesses

New York Strengthens Cybersecurity Regulations and the Key Updates for Financial Businesses

As cybersecurity continues to be a top priority for both businesses and regulators, New York has made significant updates to its cybersecurity regulations under the Department of Financial Services (“DFS”). Announced by Governor Kathy Hochul and effective as of November 1, 2023, these amendments aim to further bolster the state’s already comprehensive framework for cybersecurity governance, risk management, and incident response. If your business operates within New York’s financial services sector or is regulated by the DFS, these changes may directly affect your cybersecurity strategy and compliance efforts.

The updates introduce several new obligations that emphasize accountability at the senior leadership level, enhanced reporting requirements, and more robust risk mitigation practices. One of the primary updates is that senior leadership must now have explicit oversight over cybersecurity risk management. This ensures that cybersecurity isn’t just the responsibility of the IT department, but is integrated into the organization’s overall business strategy, with senior leaders held accountable for the outcomes.

The role of Chief Information Security Officers (“CISOs”) is also becoming more crucial under the new amendments. CISOs are now required to report material cybersecurity issues directly to senior leadership in a timely manner. This includes updates on cybersecurity events and any changes to the entity’s overall cybersecurity program, which helps ensure that leadership is well-informed about the state of cybersecurity across the organization.

Risk assessments, a cornerstone of the previous regulations, now need to be conducted annually or whenever a significant change in cyber risk occurs. The frequency of these assessments is intended to help businesses stay ahead of emerging threats and better understand their evolving risk profiles. In addition to risk assessments, annual cybersecurity awareness training is now mandatory, with a specific focus on how employees can recognize and respond to social engineering attacks, a growing threat in today’s digital landscape.

Another important update is the expanded requirements for incident response plans. These plans must now include provisions for business continuity and disaster recovery, both of which must be tested annually to ensure that the organization is prepared for any type of cyber event. In cases where an extortion payment, such as a ransomware payment, is made, the entity must notify the DFS within 24 hours and submit a detailed explanation within 30 days.

The amendments also introduce additional compliance obligations for larger entities, designated as “Class A” companies. These are businesses that meet specific revenue and employee thresholds. Class A companies are now required to undergo independent cybersecurity audits, implement privileged access management solutions, and deploy endpoint detection systems with enhanced logging and security event alerting capabilities. These measures are designed to strengthen security defenses for organizations with greater exposure and more complex operations.

For businesses already familiar with New York’s 2017 cybersecurity regulations, these recent updates build on the existing foundation. The 2017 rules established the requirement for a comprehensive cybersecurity program and laid out critical elements, such as identifying risks to nonpublic information, creating defensive infrastructures, and fulfilling reporting obligations. The 2023 amendments now require stricter oversight and more detailed processes to keep pace with the evolving threat landscape.

Given these updates, businesses regulated by the DFS must review and update their cybersecurity policies and procedures to align with these new requirements. It is crucial to ensure that senior leaders are actively involved in cybersecurity governance, that CISOs are properly reporting material issues, and that risk assessments, incident response plans, and training programs are up-to-date.

Compliance Recommendation.

To remain compliant with New York’s enhanced cybersecurity regulations, businesses should immediately conduct a thorough review of their cybersecurity programs. Update governance structures to ensure senior leadership is involved in risk management, and strengthen processes around risk assessments and incident reporting. It’s also vital to ensure that all employees are trained regularly on cybersecurity awareness, particularly social engineering tactics. For larger businesses, consider engaging independent auditors to assess your cybersecurity programs and implement the necessary technical controls, such as endpoint detection and privileged access management solutions. By staying proactive and prepared, your business can continue to safeguard its operations and meet regulatory expectations in an increasingly complex cybersecurity landscape.

(Image Credit: iStock Photo)

This article is for information purposes only. It is not intended to be and should not be relied on as legal advice for any particular matter.