New York’s updated cybersecurity rule for financial institutions has now been finalized by the New York Department of Financial Services, leading to more stringent requirements for these organizations. This update to the original 2017 rule falls in line with increased efforts from federal and state regulators to enhance consumer data protection. Below are the key updates to the regulation:
- Enhanced cybersecurity governance: Financial institutions must now provide annual reports not only on cybersecurity programs and risks but also on plans for addressing material matters. They are also obliged to report promptly about significant cybersecurity events and program adjustments. Boards are required to participate more directly in cybersecurity risk management, with annual testing of incident response and recovery programs, and annual risk assessments necessary.
- Technical controls application: Enterprises must adopt multifactor authentication, protect against malicious code, encrypt sensitive information during transit, limit user access privileges, and create written password policies. They should also perform annual penetration testing, vulnerability scans and analysis, and maintain thorough inventories of their information systems.
- Rigorous incident response planning: Entities must now maintain written incident response plans that include proactive means to investigate and mitigate cybersecurity risks, ensuring operational resilience. These plans should facilitate prompt response and recovery from significant cybersecurity incidents.
- Prompt notifications to NYDFS: Entities should report data breaches, ransomware incidents, and extortion payments within 24 hours. They also need to provide updates on substantial changes or new information following the initial reporting.
Larger financial institutions, known as “Class A” companies, are subject to additional requirements under the updated rules. Such businesses are defined as those regulated by the NYDFS with either $20 million or more in annual revenue from its operations in New York State, 2,000 or more total employees, or $1 billion in total global revenue. Additional rules for Class A companies include conducting independent audits of their cybersecurity programs, managing access privileges more meticulously, and implementing endpoint detection and response solutions.
The updated rule is perceived as an opportunity for financial institutions to improve their standings with insurers and possibly secure more favorable conditions. Furthermore, it falls in line with the more stringent notification requirements for public companies following cybersecurity events introduced by the Securities and Exchange Commission. As such, financial institutions should consider this as a chance to enhance their cybersecurity hygiene in light of growing scrutiny and potential adoption of similar rules in other jurisdictions.