New York Cybersecurity Regulations Latest Updates
On November 1, 2024, New York’s Department of Financial Services (“NYDFS”) rolled out the next phase of amendments to its cybersecurity regulations under Part 500. These changes build on the rules first introduced in 2017 and reflect the growing importance of securing sensitive data and information systems across the financial services sector. As the cybersecurity landscape evolves, these amendments introduce more stringent requirements for businesses operating in New York, including larger organizations and small businesses with partial exemptions. Here’s a breakdown of what these changes mean for your business.
For larger organizations, referred to as Class A and standard companies, the new requirements focus on cybersecurity governance, encryption of nonpublic information (“NPI”), and incident response and business continuity management. One of the key updates is the increased responsibility for Chief Information Security Officers (“CISOs”). Now, CISOs are required to produce annual reports on the adequacy of the company’s cybersecurity program. These reports must address policies, procedures, and any material weaknesses that need to be remediated. Additionally, CISOs must notify the senior management or board of directors about any significant cybersecurity events or changes to the cybersecurity program in a timely manner. This heightened governance structure ensures that cybersecurity is not only a technical issue but also a key business concern at the highest level.
When it comes to protecting sensitive data, Section 500.15 of the amended regulations mandates that companies implement strong encryption measures to safeguard nonpublic information, particularly in transit over external networks. While compensating controls may still be used for certain situations, such as when encryption isn’t feasible for data "at rest," these exceptions are becoming more limited. The CISO is required to annually assess the feasibility of encryption and the effectiveness of any compensating controls, making it clear that encryption should be the default standard wherever possible.
The new regulations also emphasize preparedness in the event of a cybersecurity incident or disaster. Under Section 500.16, companies must have up-to-date incident response and business continuity plans in place. These plans must be tested annually, ensuring that critical staff are trained and ready to act in case of a disruption. The ability to restore critical data and systems from backups is a must, as is ensuring that secondary systems can support operations in the event of an incident.
Smaller businesses with partial exemptions are not left out of these updates. If your business employs fewer than 20 people and meets certain financial thresholds (less than $7.5 million in gross revenue over the past three years, or less than $15 million in total assets), you may qualify for partial exemptions. However, there are still key requirements that must be followed. For example, multi-factor authentication (“MFA”) must now be implemented for remote access to information systems, third-party applications containing NPI, and privileged accounts. Additionally, cybersecurity training must be provided to all employees at least annually, covering critical topics like phishing, social engineering, and emerging AI-based threats, such as deepfakes.
For all businesses affected by these changes, it’s crucial to conduct a thorough review of your cybersecurity programs and ensure you’re meeting the new requirements. For Class A and standard companies, the focus should be on strengthening governance and reporting processes, ensuring encryption is in place for sensitive data, and testing incident response and business continuity plans regularly. Smaller businesses should prioritize implementing multi-factor authentication and cybersecurity training for all employees. With these updates, the NYDFS is making it clear that cybersecurity must be a top priority across the board. Staying ahead of these requirements will help safeguard your business and ensure compliance with the state’s evolving cybersecurity standards.
© 2024 Cliclaw.com
(Image Credit: iStock Photo)
This article is for information purposes only. It is not intended to be and should not be relied on as legal advice for any particular matter.