New York State’s newly updated cybersecurity rules for financial institutions across the board have introduced more stringent cybersecurity requirements. Some key changes include:
- Strengthened governance: Banks and other institutions are required to enhance their cybersecurity governance, with key entities such as CISOs having to make annual reports on material risks and plans for addressing these issues.
- Technical controls: More stringent technical controls have been implemented on financial institutions, including multi-factor authentication and protection mechanisms against malicious code and cyber threats.
- Improved Incident Response: All regulated entities must maintain compliant written incident response plans to ensure operational resilience and prompt recovery from cybersecurity incidents.
Additional requirements have been outlined for larger financial institutions, dubbed “Class A” companies. These companies, defined as those with at least $20 million in annual revenue over the past two years from its operations in New York State, now have to conduct independent audits of their cybersecurity programs annually or more frequently.
Financial institutions are required to start planning and budgeting for these new governance and reporting requirements. This rule update should be considered as more than just a compliance requirement, but rather an opportunity to improve standing with insurers and potentially secure more favorable terms.
Simultaneously, this comes at a time of increased cybersecurity scrutiny for all companies regardless of industry. The updated New York cybersecurity rule is in line with what cyber insurance underwriters have expected for several years, further pushing financial institutions to improve their cybersecurity hygiene. Ultimately, complying with New York’s updated cybersecurity rule can lead to a beneficial ripple effect on risk management approaches and strategies.