The Clock is Ticking: Prepare for the Upcoming Changes to New York's Cybersecurity Regulation NYDFS

The comment period has come to a close, and the countdown is on for businesses to ensure they are in compliance with all new NYDFS Cybersecurity regulations.

The Proposed Amendment changes represent the future of cybersecurity, and the measures businesses must take to protect against cyber threats. The world of cybersecurity, privacy, and data protection is constantly evolving, with new regulations and guidelines being introduced at a seemingly never-ending pace. This can be particularly challenging for organizations operating in New York State, where the New York Department of Financial Services (NYDFS) has recently proposed significant updates to its cybersecurity rules, designed to better protect financial institutions and consumers from the growing threat of cyber attacks.

In this blog, we'll provide an overview of the key changes to the NYDFS cybersecurity rules and offer practical advice on how businesses can prepare for the new requirements.

The NYDFS Cybersecurity Regulation: An Overview

The regulation was designed to help protect these organizations from cyber attacks, data breaches, and other cybersecurity threats. The original regulation required financial institutions to implement a cybersecurity program, appoint a Chief Information Security Officer (CISO), and provide regular cybersecurity training to employees. The regulation also required businesses to conduct annual penetration testing and periodic risk assessments and to establish incident response plans.

The Key Updates to the NYDFS Cybersecurity Rules

The proposed updates to the NYDFS cybersecurity rules build upon the original regulation and introduce new requirements to better protect against the evolving threat of cyber attacks.

Some of the key changes include:

The Role of the CISO

The CISO must have the authority to direct sufficient resources toward implementing and maintaining a cybersecurity program, and they must also consider the company's plans for remediating any material inadequacies in their annual written report.

Board Oversight and Direction

The covered entity's board (or equivalent) must provide oversight and direction on cybersecurity risk management, and they must have sufficient knowledge and expertise, or be advised by persons with sufficient knowledge and expertise, to effectively oversee cyber risk management. The CISO must also report any material cybersecurity issues to the senior governing body in a timely manner, such as updates to the covered entity's risk assessment or major cyber events.

Incident Response, Business Continuity, and Disaster Recovery

Covered entities must develop and implement written plans for mitigating disruptive events and ensuring operational resilience, including incident response, business continuity, and disaster recovery. This includes periodic testing of incident response plans, business continuity and disaster recovery plans, and backup restoration. Covered entities must also maintain backups that are protected from unauthorized alterations or destruction.

Vulnerability Management and Employee Awareness Training

Covered entities must develop and implement written policies and procedures for vulnerability management, and they must conduct automated vulnerability scans and manual reviews of systems not covered by those scans. The frequency of these scans must be determined by the risk assessment or at least once a year at minimum. Additionally, covered entities must provide annual awareness training for all personnel, which should include social engineering exercises.

Compliance Certification

The annual certification of compliance must be signed by both the highest-ranking executive and the CISO, and it may acknowledge a lack of compliance so long as the covered entity identifies remedial efforts and a timeline for their implementation.

Revising the Approach to Risk Assessments for Covered Entities

The protection of sensitive data is a critical issue for all organizations, and it is essential that companies take the necessary steps to ensure that their data is secure from cyber threats. As part of this, it is important to regularly conduct risk assessments to identify and mitigate potential risks. The Proposed Amendments to the regulations for covered entities include several changes to how risk assessments should be conducted, which we will explore in this blog.

Tailored Risk Assessments

Risk assessments must take into account the specific circumstances of the covered entity, including its size, staffing, governance, products, operations, customers, counterparties, service providers, and vendors, as well as the geographies and locations of its operations. This will ensure that the risk assessment is tailored to the unique needs of the covered entity and provides a more accurate picture of its cyber risks.

Threat and Vulnerability Analyses

Incorporating threat and vulnerability analyses into the risk assessment process is critical to ensuring that all potential risks are identified and addressed. The risk assessment must also include mitigation strategies to minimize the impact of any potential threats or vulnerabilities.

Regular Review and Updating of Risk Assessments

The risk assessment must be reviewed and updated whenever a change in business or technology causes a material change to the covered entity's cyber risk. Additionally, the risk assessment must be reviewed and updated at least annually to ensure that it remains relevant and accurate.

External Expertise for Class A Companies

Class A companies must use external experts to conduct a risk assessment at least once every three years. This will provide an additional level of expertise and ensure that the risk assessment is comprehensive and accurate.

Strengthening Access Controls and Technical Requirements in Cybersecurity Regulations

The Proposed Amendments to the current Cybersecurity Regulations include several changes aimed at strengthening access controls and technical requirements for covered entities.

Complete Asset Inventory and Limited User Access

Covered entities must establish policies and procedures for periodically disposing of nonpublic information and limiting access privileges for users on information systems that provide access to nonpublic information. The Proposed Amendments set additional controls for user access and retention, including the creation of a complete asset inventory covering all information systems and components and limiting user access privileges to only that which is necessary for the user's job.

Restrictions on Privileged Accounts

The Proposed Amendments limit the number of privileged accounts and limit their access functions to only those necessary for the user's job. The use of privileged accounts is also limited to only when performing functions requiring such access, and all user access privileges must be reviewed at least annually to remove or disable accounts and access that are no longer necessary.

Improved Technical Requirements

The Proposed Amendments also include several technical requirements aimed at improving the security of covered entities' information systems. This includes disabling or securely configuring all protocols that permit remote control of devices, conducting penetration testing from both inside and outside the information systems' boundaries at least annually, and employing a password policy that meets industry standards.

Multifactor Authentication

The Proposed Amendments require multifactor authentication for remote access to the covered entity's information systems, remote access to third-party applications from which nonpublic information is accessible, and all privileged accounts. The CISO may approve a reasonably equivalent or more secure control in exceptional cases.

Key Takeaways

Definition of a Violation

The Proposed Amendments clarify that the commission of a single prohibited act, or the failure to act to satisfy an obligation, constitutes a violation of the regulations. Additionally, the failure to comply with any section of the regulations for any 24-hour period or the failure to secure or prevent unauthorized access to an individual's or entity's nonpublic information due to noncompliance with any section of the regulations constitutes a violation.

Mitigating Factors for Penalties

When assessing penalties for violations of the regulations, the NYDFS will consider several mitigating factors, including the extent of the covered entity's cooperation, good faith, and history of violations, whether the conduct was unintentional, reckless, or intentional, whether the violation resulted from failure to remedy previous examination matters and the extent of the harm as well as the number and gravity of the violations.

Effective Dates

The Proposed Amendment changes will take effect 180 days from the date of adoption for most provisions (no earlier than July 8th, 2023), with the exception of the new incident notification requirements and changes to the annual notice of certification, which will take effect 30 days after adoption. The exemptions and the requirement to maintain backups will take effect one year after adoption, while many technical controls-related changes will take effect 18 months after, and the requirement to maintain an asset inventory will take effect two years after.

Evaluate Incident Response Procedures

Regulated entities should evaluate their incident response procedures to ensure timely reporting of third-party and other incidents and understand the extent to which these new changes will affect them and what additional resources they may need to devote to their existing cybersecurity programs.

Partner with a Cybersecurity Expert

Cybersecurity is a critical concern for businesses, and it is essential to keep up with the constantly evolving threats. The proposed updates to the New York Department of Financial Services (NYDFS) cybersecurity rules provide a more comprehensive approach to protecting consumers against cyber threats, and businesses must take the necessary steps to stay ahead of these threats.

Businesses can safeguard sensitive customer data by implementing a comprehensive plan that recognizes and mitigates cybersecurity risks within their organization. This plan should include the steps outlined in this blog, such as evaluating incident response procedures and working with a Cybersecurity expert to perform a gap analysis on your current cybersecurity state.

By taking these steps, businesses can ensure they are in compliance with the new regulations and better prepared to protect against cyber attacks.

Please contact us if you have any questions about NYDFS or how these regulations will affect your company. Let Cybersecurity Advisory Group work with you to evaluate your current security state and develop a comprehensive plan to comply with the new regulations and protect your business against cyber threats. In addition to our cybersecurity consulting services, we have strategic partnerships with privacy and cybersecurity law firms specializing in NYDFS and privacy regulations.

About the Author: Melissa Thornton, CISSP

Melissa Thornton is a principal security consultant at Cybersecurity Advisory Group, specializing in providing SMBs and startup companies with cyber risk management advisory. As a former CEO with over 20 years of technology, business operations, and security experience, Melissa understands the unique challenges of running a business. As a trusted advisor, Melissa works with clients to develop clear strategies and implement best practices across the board. She's skilled at spotting risks—large or small—and ensuring they never become problems.

If your business is looking for a knowledgeable and collaborative cybersecurity partner, we would love the opportunity to work with you.