New York’s fresh, updated cybersecurity rule for financial hubs.

The New York Department of Financial Services (NYDFS) finalized updates to a cybersecurity rule in November 2021, introducing more stringent cybersecurity requirements for financial institutions operating in New York State. This reflects a wider push by federal and state regulators in recent years to better safeguard consumer data. The updated rule places emphasis not only on strict technical controls but also on improved governance, expecting companies to invest time and capital to ensure compliance.

Key updates include:

• Enhanced cybersecurity governance: NYDFS-regulated financial institutions are required to submit annual reports detailing plans for addressing material issues and significant cybersecurity events and changes to programs. CISOs or their equivalents are required to report more directly, and organizations must engage in annual testing of incident response and disaster recovery programs.
• Technical controls: The rules stipulate that financial institutions must enact multifactor authentication and protections against malicious code, encrypt sensitive information in transit, limit user access privileges, and implement written password policies among others.
• Incident response planning: Institutions must now maintain written incident response plans that investigate and mitigate cybersecurity and ensure operational resilience.

Financial institutions are advised to update incident response plans to comply with the rule, plan, and budget for the new governance and reporting requirements. This is particularly important for larger institutions referred to as “Class A” companies, which are subject to additional requirements including annual independent audits of their cybersecurity programs and implementing endpoint detection and response solutions.

This rule change is in line with cyber insurance underwriters’ expectations and presents an opportunity for financial institutions to improve their standing with insurers. The updated NYDFS rule comes at a time of increased scrutiny for all companies relating to cybersecurity and privacy legislation, making it ever more important for organizations to mature their cybersecurity hygiene.