The New York Department of Financial Services (NYDFS) finalized amendments to its cybersecurity regulations on November 1, 2023, marking a significant update in the state's approach to cyber threats. The process involved multiple stages, starting with a pre-proposal in July 2022, followed by two additional proposals in November 2022 and June 2023. The final version, which incorporated feedback from various stakeholders, introduced several key changes and clarifications from earlier drafts.
Key changes in the amendments include:
- Enhanced governance requirements for boards and senior officers.
- Expanded reporting requirements to the board and senior management for chief information security officers.
- Additional requirements for risk and vulnerability assessments, penetration testing, vulnerability scanning, incident response, business continuity, and disaster recovery planning.
- More stringent controls over privileged accounts.
- Directives for companies to invest in annual training and cybersecurity awareness programs, focusing on social engineering attacks and relevance to their business model and personnel.
- New requirements for "Class A Companies," defined to cover larger covered entities exceeding thresholds for annual gross revenue and number of employees. Class A companies must "implement: (1) a privileged access management solution; and (2) an automated method of blocking commonly used passwords for all accounts on information systems owned or controlled by the class A company and wherever feasible for all other accounts" and are required to conduct independent audits based on the entity's risk assessment.
These amendments to the NYDFS cybersecurity regulations will require entities holding a charter or license from NYDFS to review and adapt their cybersecurity programs. Additionally, because the NYDFS cybersecurity regulations have been a model for other cybersecurity measures, including the NAIC Insurance Data Security Model Law and the Federal Trade Commission's GLBA Safeguards Rule, the amendments may foreshadow changes in those other requirements.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.