Financial institutions and businesses regulated by the New York Department of Financial Services (NYDFS) are facing updated cybersecurity requirements, set to take effect on November 1, 2024. These changes are part of a broader effort to bolster cybersecurity measures and protect sensitive data. Organizations must start preparing now to ensure they meet these new standards and avoid regulatory penalties.
Who Is Affected
The updated regulations apply to a wide range of entities under NYDFS oversight, including banks, insurance companies, mortgage lenders, and other financial institutions. Larger organizations, identified as "Class A" entities, will face more stringent requirements, while smaller businesses may be exempt from some provisions.
Key Requirements
As the November 2024 deadline approaches, businesses must align with the updated New York Department of Financial Services (NYDFS) cybersecurity regulations. These new rules focus on enhancing protections and preparedness across several critical areas.
1. Executive Oversight
CISO Reporting: The Chief Information Security Officer (CISO) must regularly report significant cybersecurity issues and changes to the senior governing body, ensuring executives are engaged in risk management.
Annual Certification: Covered entities are required to submit an annual certification of compliance with Part 500, or disclose non-compliance areas with a remediation plan.
2. Data Protection & Incident Response
Encryption: Companies must ensure sensitive data is encrypted both in transit and at rest, or use alternative controls approved by the CISO.
Incident Response Plan: Updated plans must cover breach response, recovery protocols, root cause analysis, and regular testing.
3. Business Continuity & Disaster Recovery (BCDR)
Comprehensive BCDR Plans: Companies must have detailed plans to ensure operations continue during cyber-related disruptions, with annual tests to verify effectiveness.
.
4. Employee Training & System Testing
Training: Regular cybersecurity training tailored to the company’s risks is mandatory, focusing on threats like phishing and social engineering.
Risk Assessments: Annual vulnerability assessments and penetration testing are required to identify potential weaknesses.
5. Cybersecurity Incident Reporting
72-Hour Notification: Cybersecurity incidents that materially impact operations or involve unauthorized access to privileged accounts must be reported to NYDFS within 72 hours.
Ransomware Payments: Companies must notify NYDFS within 24 hours of any extortion payment and submit a detailed report within 30 days.
Failure to comply with these requirements can result in significant penalties. NYDFS has a track record of strict enforcement, with fines varying based on the severity of the breach and the size of the organization. "Class A" companies, due to their higher risk profile, may face even more severe penalties.
Conclusion
The upcoming NYDFS cybersecurity regulations reflect the increasing need for stronger data protection and incident response strategies. While the immediate focus is on the November 2024 compliance deadline, businesses should also be aware that additional cybersecurity requirements will take effect in 2025. We will continue to monitor and provide updates on regulatory changes as they arise. Staying proactive and continuously updating your cybersecurity framework will help ensure long-term compliance and protection against evolving cyber threats.
For more information on cybersecurity regulations and their potential impact on your organization, contact our Partner, Fiona Xu, at fiona.xu@consultils.com.
Disclaimer: The materials provided on this website are for general informational purposes only and do not, and are not intended to, constitute legal advice. You should not act or refrain from acting based on any information provided here. Please consult with your own legal counsel regarding your specific situation and legal questions.
Fiona Xu, Esq. is the Partner and Head of Transactions of ILS.
She has extensive experience supporting global and high-growth technology companies on compliance and business needs. Her practice focuses on regulatory compliance across different sectors, with a focus on sector-specific regulations for artificial intelligence (AI) and medical devices. She supports multinational corporations in establishing and maintaining U.S. operations, managing legal and compliance challenges in various areas such as Privacy, Export Control, and CFIUS issues.
Email: fiona.xu@consultils.com | Phone: 626-344-8949
Comments