NY Enhances Financial Cybersecurity Regulations
Thursday, November 16, 2023
New York Finance Cybersecurity Risk Management
Print Mail Download i

New York recently announced amendments to the State Department of Financial Services’ cybersecurity regulations. The changes further solidify the state’s already comprehensive cybersecurity regulatory regime. The amendments were both announced by Gov. Hochul and became effective on November 1, 2023. They apply to DFS regulated entities and aim to strengthen provisions around cyber governance, risk mitigation, incident notification, and training.

New obligations under the amendments include:

  • Senior leadership is now explicitly required to exercise oversight of an entity’s cybersecurity risk management.
  • CISOs must make timely reports to an entity’s senior leadership on material cybersecurity issues, including on cybersecurity events and changes to the entity’s cybersecurity program.
  • Previously required cybersecurity risk assessments must now be conducted annually, or whenever there is a material change to the covered entity’s cyber risk.
  • Entities must now conduct annual cybersecurity awareness training that includes training on how to address social engineering.
  • Incident response plans must now include business continuity and disaster recovery plans. These plans must also be tested annually.
  • Entities must notify DFS within 24 hours after making an extorsion payment (i.e. a ransomware payment) and provide a detailed explanation of the reasons for making the payment within 30 days.

The amendments also created additional obligations for larger “Class A companies.” These are companies with a two-year average of (1) at least $20 million in gross revenue (including instate revenue from affiliates) and; (2) 2000 employees or $1 billion in total annual revenue (including all affiliate revenue). Class A companies must design and conduct independent cybersecurity program audits, implement a privileged access management solution that includes specific password requirements, and deploy an endpoint detection and response solution that includes logging and security event alerting.

Putting it Into Practice: These updated regulations continue to demonstrate that New York State remains hyper-focused on cybersecurity. Regulated entities should review the new regulations carefully and take care to ensure they update their policies and procedures to comply with the new requirements.

Copyright © 2024, Sheppard Mullin Richter & Hampton LLP.

Current Legal Analysis

More from Sheppard, Mullin, Richter & Hampton LLP

CFPB Announces Update in Continued War on Mortgage Servicing Junk Fees
by: A.J. S. Dhaliwal , Mehul N. Madia
Kansas Enacts Earned Wages Access Law
by: A.J. S. Dhaliwal , Mehul N. Madia
New York Broadly Revises Hospital Financial Assistance, Medical Debt Collection and Related Requirements
by: Carmen Jule
Utah’s New AI Disclosure Requirements Effective May 1
by: Liisa M. Thomas , Kathryn Smith
The CPPA Signals Focus on Data Minimization and Consumer Requests
by: Brittany Walter
Nebraska Fourth State to Enact Privacy Law in 2024
by: Liisa M. Thomas , Kathryn Smith
Solving for Physician Burnout: Creating a Culture of Psychological Safety
by: Kathleen M. O'Neill , Samantha Young
CMS Finalizes Federal Minimum Staffing Standards for Nursing Homes
by: Lourdes Martinez , Gregory R. Smith
New Program Under Biden Executive Order to Prevent Access to American’s Sensitive Personal Data by Foreign Actors
by: Townsend L. Bourne , Jordan Mallory
FTC Votes to Ban Noncompete Agreements
by: John D. Carroll , Leo Caseria

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins