Effective November 2023, the New York Department of Financial Services has amended the NYDFS Cybersecurity Regulation (23 NYCRR 500), setting enhanced cybersecurity benchmarks for financial institutions.
This update builds upon the original, landmark regulations from 2017. At that time, the regulations mandated detailed rules for cyber risk assessment, attack detection, enhanced protection implementation, and recovery planning. They also required financial institutions to appoint a Chief Information Security Officer (CISO) and undergo annual compliance certification, establishing a robust framework for cybersecurity in the financial sector.
The current updates include:
- Guidelines for managing “Cybersecurity Events” and “Incidents”, including response protocols for unauthorized access and significant events requiring government notification.
- Requiring institutions to conduct unbiased cybersecurity audits and implement multi-factor authentication to secure sensitive systems.
- Introducing measures to protect a broad spectrum of nonpublic personal and business data, including individual identifiers and health information.
- Requiring policies for vulnerability management and limited user access based on need.
- Mandating the appointment of a CISO to oversee cybersecurity programs and emphasizing the role of qualified personnel in risk management.
- Tightening control over third-party service providers to ensure compliance with established cybersecurity standards.
- Mandating that covered entities report cybersecurity incidents within 72 hours and annually certify compliance.
- Requiring large financial institutions with significant turnover or employee count to conduct annual cybersecurity audits and enhance access management measures, including password control and activity monitoring.
- Requiring CISOs to report cybersecurity updates to the board of directors, who in turn is responsible for understanding and supervising cyber risk management.
- Requiring financial institutions to have Business Continuity and Disaster Recovery plans for resilience against disruptions.
- Requiring the reporting of ransom payments within 24 hours and justifying them within 30 days, along with a compliance analysis.
Click here to read the updated cybersecurity regulations for financial institutions in the State of New York.