The New York Department of Financial Services (NYDFS) is officially proposing changes to its cybersecurity regulation, Cybersecurity Requirements for Financial Services Companies. On November 9, 2022, the 60-day public comment period on the NYDFS regulation amendments opened. And this comment period will remain open to the public until January 9, 2023.
According to New York State, “DFS has taken a data-driven approach to amending the regulation to ensure that regulated entities address new and increasing cybersecurity threats with the most effective controls and best practices to protect consumers and businesses.”
And while this updated regulation is only for regulated entities in New York, we expect other states and national governments to follow suit with similar tightening.
How might these changes affect your cyber defense? Below, we’re taking a closer look at these amendments. Read on to see how your cybersecurity processes stack up:
A Brief Background on the Original NYDFS Regulation
In 2017, the NYDFS published its Cybersecurity Regulation, finally putting it into effect in early 2019. The initial regulations required companies to:
- Administer yearly risk assessments
- Develop security policies and procedures based on these risk assessments
- Maintain and manage incident response plans
- Run annual penetration tests and bi-annual vulnerability assessments
- Use multi-factor authentication (MFA) for system access from an external network
- Notify regulators of a cybersecurity event within 72 hours
- Provide the board of directors with annual reports regarding the company’s cybersecurity program
- Certify their compliance with the NYDFS regulation annually
Exemptions for financial services organizations include companies with:
- Less than 20 employees or;
- Less than $5 million in gross annual revenue in each last three fiscal years or;
- Less than $15 million in year-end total assets
What are the New NYDFS Regulation Amendments?
In the official press release, NYDFS says, “The proposed amended regulation strengthens the DFS risk-based approach to ensure cybersecurity risk is integrated into business planning, decision-making, and ongoing risk management.”
As derived directly from the press release, the proposed amendments include:
- The creation of three tiers of companies, further tailoring the regulation to a diverse set of businesses with different defensive needs. Furthermore, based on feedback from the industry and in recognition of the realities of operating a small business, the proposed amendment increases the size threshold of smaller companies that are exempt from many parts of the regulation;
- Enhanced governance requirements, thereby increasing accountability for cybersecurity at the Board and C-Suite levels;
- Additional controls to prevent initial unauthorized access to technology systems and to prevent or mitigate the spread of an attack;
- More regular risk and vulnerability assessments, as well as more robust incident response, business continuity and disaster recovery planning; and
- Requiring companies to invest in regular training and cybersecurity awareness programs that are relevant to their business model and personnel.
In short, if these NYDFS regulations are put into law in 2023, organizations must:
- Prioritize cyber risk and have enhanced risk visibility
- Have cybersecurity policies, procedures, and risk assessments approved by the board of directors, or equivalent governing body
- Provide cyber risk briefings on an annual basis
- Review and respond to potential issues or risks from vulnerability assessments and pen tests
Plus, members of leadership, including the CEO and CISO must:
- Co-sign an annual declaration of security compliance with the NYDFS regulation
- Participate in and help facilitate incident response plan testing
- Engage in business continuity plan testing
“These requirements are a great example of how cyber risk isn’t purely a bits and bytes issue to be ‘handled by the security team’… It’s a core responsibility of the board and management team.”
What the NYDFS Amendments Mean for Financial Companies Across the Globe
If approved, the new NYDFS regulation amendments will likely be put into law 180 days after the date of approval. So what do these new regulations mean for financial companies? What should you do to prepare for this regulation to go into effect in 2023? One aspect may be more pressure to strengthen cyber defense by reducing workforce cyber risk.
We know that addressing worker risk requires a comprehensive, multidisciplinary strategy. It’s important to start at the individual level, raising awareness, making training more intuitive and accessible, and enabling real-time feedback for personal security decisions. But no amount of training or awareness will overcome all the factors affecting minute-by-minute personal decision making.
That’s why it’s even more important to develop a security-conscious organization, with top level management visibility, reporting and sponsorship. But beyond that, to round out a 360° cyber defense, machine-speed analytics and automated responses provide risk-tailored safeguards to block risks before they reach your workers.
➡️ Dive into our eBook on worker risk management to discover how to solve for worker risk with predictive risk-based mitigation and management.
Is your cyber defense strategy ready for these new NYDFS regulation amendments? Regardless of the state you’re in, the industry you’re a part of, or your company size, it’s important to take your cybersecurity procedures and policies to the next level in 2023.
The Elevate Security Platform enables you to make better security decisions that align with NYDFS’ proposed changes such as:
- Easily analyzing and monitoring internal workforce risk
- Benchmarking visibility, targeted security controls, and personalized feedback to better protect the most at risk employees
- Moving beyond a one-size-fits-all approach by tailoring security to each individual’s risk level
To learn more, book your demo to explore the cyber defense strengthening power of Elevate Security.