New York proposes changes to the cybersecurity regulation for financial services

More small financial services firms will be exempted, rules will be adjusted to reflect greater diversity in organizations, and top executives of financial services firms will face increased accountability under proposed amendments to New York’s model cybersecurity regulation for financial services.

The New York State Department of Financial Services (DFS) has proposed an update to its original regulation, which the DFS promulgated in 2017. The updated regulation will be subject to comment for 60 days.

The regulation – aimed at protecting New York’s financial services industry from the threat of a cyber attack – was the first of its kind in the US. The regulation requires each company regulated by New York’s DFS to assess its specific cybersecurity risk profile and implement a program to address those risks.

Insurers, banks and other financial services companies regulated by the DFS had to comply until March 2019 by adopting cybersecurity practices and policies to ensure the security of information systems and non-public information. DFS took its first enforcement action under the Regulation in July 2020 in relation to a data breach at a title insurer.

The regulation has become a model now used by both federal and state financial regulators.

Superintendent of Financial Services, Adrienne A. Harris, said DFS took a “data-driven approach” to changing the regulation to “address new and rising cybersecurity threats” and “to ensure that cybersecurity risks are integrated into business planning, decision-making and… integrated into ongoing operations risk management.”

According to DFS, the most important changes include:

  • The creation of three corporate layers that further tailor regulation to a variety of companies with different defense needs.
  • An increase in the size threshold for smaller companies, which are exempt from many parts of the regulation, as a result of industry feedback and recognizing the realities of running a small business. It includes exempting businesses with fewer than 20 employees or less than $5 million in New York business.
  • Improved governance requirements, increasing accountability for cybersecurity at board and C-suite level.
  • Additional controls to prevent initial unauthorized access to technology systems and prevent or contain the spread of an attack.
  • Requires more regular risk and vulnerability assessments, as well as more robust incident response, business continuity, and disaster recovery planning.
  • Direct companies to invest in regular cybersecurity training and awareness programs relevant to their business model and employees.

“With cyberattacks on the rise, it’s critical that our regulations keep pace with new threats and technologies that are specifically designed to steal data or cause harm,” Harris said. “Cyber ​​criminals target all types of businesses, large and small, across all industries, which is why all of our regulated businesses must adhere to these standards — whether it’s a bank, virtual currency company, or health insurance company.”

Under the Cybersecurity Regulation, all banks, insurance companies and other financial services institutions and licensees regulated by DFS must have a cybersecurity program in place that protects consumers’ private information, have a written policy or policies approved by the board of directors or an officer . a chief information security officer who helps protect data and systems, as well as protecting data at third-party providers.

Businesses are also required to report cybersecurity events online through the DFS cybersecurity portal.

DFS said it has solicited feedback on proposed changes from other regulators, industry groups and regulated companies through the recent Cybersecurity Symposium, industry conferences and meetings. After the 60-day comment period, regulators will review all comments and either re-propose a revised version or adopt the final regulation, DFS said.

Legislation Cyber ​​​​New York

Interested in cyber?

Receive automatic notifications on this topic.