The New York State Department of Financial Services (NYSDFS) Cybersecurity Regulation, 23 NYCRR Part 500, has recently undergone significant changes with an impending compliance deadline of April 29, 2024. Financial institutions regulated by NYSDFS must be diligent in understanding and implementing these new requirements to avoid penalties and maintain compliance.
One of the key changes in the updated regulation is the expanded scope of applicability. Previously, only banks and insurers were required to comply with cybersecurity regulations, but now financial institutions of all sizes and third-party service providers are included. This broadening of the regulation introduces new terms and classifications, such as cybersecurity “event” and “incident,” each with its own specific definitions. A cybersecurity event refers to any act or attempt to disrupt an information system, while an incident is a cybersecurity event that may result in ransomware, harm, or the need to notify regulatory agencies.
The updated regulation also imposes new requirements for programs and policies. Financial institutions are now mandated to conduct independent audits of their cybersecurity programs and make all audit documentation available to the superintendent upon request. Additionally, corporate cybersecurity policies must be approved annually by senior officers or governing bodies overseeing compliance, with all procedures thoroughly documented in accordance with the approved policy.
Governance expectations have also been formalized under the new regulations. Financial institutions are now required to appoint a Chief Information Security Officer (CISO) responsible for presenting cybersecurity plans, issues, and changes to the Board, and ensuring annual reporting is complete with eradication of any shortcomings.
Furthermore, vulnerability management now demands clear and comprehensive policies and procedures to address system vulnerabilities through internal and external penetration testing, regular system scans, and prompt resolution of identified vulnerabilities. Data protection measures have also been enhanced, with strict enforcement of access privileges and the implementation of multi-factor authentication for all privileged data.
In the event of a cybersecurity incident, financial institutions must have thorough response plans in place that include goals, root cause analysis procedures, and recovery approaches. Notification to the New York State Department of Financial Services is required within 72 hours of an incident, with a remediation plan outlined by the CISO for any regulatory non-compliance.
Monitoring and training are crucial components of cybersecurity compliance, with financial institutions required to implement risk-based controls, security training, and regular phishing demonstrations for employees to mitigate human error risks.
Overall, these regulatory changes underscore the importance of cybersecurity in the financial sector and necessitate increased investments in technology and manpower. Financial institutions must act swiftly to ensure compliance with the new regulations before the looming deadline to avoid penalties and safeguard against cybersecurity threats.