Key changes to the Regulation
Tiered obligations and exemptions. Entities licensed by the DFS should first assess whether they are a “Small Business” or a “Class A Business,” as well as whether they fall within one of the exemptions based on factors outlined in the amended regulation. This will determine which, if any, requirements apply to their business.
Cybersecurity governance. The updates emphasize the importance of cybersecurity governance, consistent with the recent cyber risk updates from the Securities and Exchange Commission. Financial institutions operating in New York are now obligated to bolster their cybersecurity governance by implementing comprehensive cybersecurity programs, conducting regular risk assessments, and maintaining oversight by the “senior governing body.” Organizations must also demonstrate adequate oversight through annual reviews of written cybersecurity policies, and the updated rules require Chief Information Security Officers to inform senior leadership of material non-compliance with the regulations.
Focus on access controls. The updated Regulation places a renewed focus on access controls, expressly incorporating the concepts of “least privileges,” so that access is granted only where necessary for a user’s job. Financial institutions must limit privileged accounts and periodically review user access privileges to minimize the risk of inappropriate access.
Enhanced Incident Response and Business Continuity Plans. Incident Response Plans must include new components, including the internal processes for responding to a cybersecurity event, preparation of root cause analysis, and an express requirement to update the Plan as necessary. Further, the amendments also require entities to develop and implement a Business Continuity and disaster recovery plan. This Plan must address the availability and functionality of a business’s information systems and outline a number of procedures related to continuing operations during an incident. Financial institutions must regularly test these Plans with all employees who will be responsible for implementing them.
Annual cybersecurity training requirement. All industries are increasing their focus on creating an informed and security-oriented work force. The amendments follow this trend, calling for regular, and at least annual, cybersecurity awareness training. The Amendments also require training in social engineering tactics.
Looking ahead
The recent updates signal New York’s continued proactive approach to fortifying cybersecurity and consumer protection in the financial sector. The new compliance requirements will take effect in phases and will vary based upon whether an entity qualifies as a Small Business, a Class A Business, or a Covered Entity. Changes to the reporting requirements took effect on December 1 (one month after the amended Regulation was published on November 1), but financial institutions have until April 29, 2024 (180 days from the publication date to come into compliance with many of the new requirements. For certain requirements, entities have up to two years to come into compliance. These requirements include implementing automated scans or manual review of information systems, and deploying multi-factor authentication for all individuals who access systems.
Entities and individuals subject to the amended regulations should assess their status under the amended requirements and determine the relevant timelines for compliance. We recommend that entities review their existing policies and documentation and develop plans regarding implementation of the enhanced cybersecurity measures, and risk management and incident response processes.
