Navigating New York’s Evolving Cybersecurity Regulations: A Guide for Financial Institutions
In an era where digital advancements are rapidly reshaping the landscape of business, cybersecurity regulations are becoming increasingly complex and dynamic. The threat of cyberattacks looms large, with sophisticated actors constantly devising new methods to exploit vulnerabilities. In response to these challenges, New York State’s Department of Financial Services (NYDFS) has taken significant steps to enhance its regulatory framework, particularly for the financial sector. As we approach the first anniversary of these new regulations, it is crucial for companies to remain vigilant and prepared.
The NYDFS Cybersecurity Landscape
As a regulatory body, the NYDFS oversees more than 3,000 financial institutions, managing assets exceeding $9.7 trillion. This includes a diverse range of entities such as insurance companies, health insurers, banking institutions, and virtual currency firms. The latest cybersecurity regulations, introduced in 2023, build upon the original framework established in 2017, imposing stricter requirements for reporting, incident response, and governance. Notably, a new classification for large Class A firms has been introduced, with compliance requirements being phased in over time.
The Importance of Preparedness
With cyberattacks, particularly ransomware incidents, on the rise—reportedly increasing by 74% globally in 2023—companies must prioritize their cybersecurity strategies. According to IBM’s 2024 report, the average cost of a data breach has surged to $4.88 million, marking a 10% increase from the previous year. This financial burden underscores the necessity for organizations to have robust incident response plans in place.
Key Steps for Compliance and Incident Management
1. Assessing the Situation
In the event of a cyber incident, the first step is to determine whether notification to regulatory bodies is necessary. For entities regulated by the NYDFS, notification is mandatory if the incident poses a "reasonable likelihood of materially harming any material part of the normal operations" or if ransomware has been deployed within a significant portion of the information systems. Additionally, organizations must notify affected individuals if their personally identifiable information has been compromised, as mandated by state laws.
2. Notification Protocols
Utilizing the NYDFS portal for notifications is essential. Companies should ensure they save confirmation emails and receipt numbers for their records. It is also vital to consider other statutory and regulatory requirements that may necessitate additional notifications, such as the NY Shield Act and various state-level statutes.
3. Timing is Critical
The timing of notifications can significantly impact compliance. The NYDFS mandates that organizations notify them "as soon as possible but in no event later than 72 hours" after determining a cybersecurity incident has occurred. Other states may have varying deadlines, ranging from immediate notification to 30 or 60 days. Companies must manage these timelines carefully, especially if multiple regulators are involved.
4. Restoring Security
Once an incident is confirmed, restoring security is paramount. This may involve disabling user accounts, applying patches, and changing passwords. Organizations are required to implement a written incident response plan, alongside business continuity and disaster recovery strategies. A thorough analysis of the root cause of the incident is also essential to prevent future occurrences.
5. Legal Protections and Insurance
Legal protections are crucial during a cyber investigation. The attorney-client privilege can safeguard communications with legal counsel, while the work-product doctrine protects preparatory materials in anticipation of litigation. Companies should also evaluate their insurance coverage to ensure they are adequately protected against potential cyber incidents.
6. Extending Notification Requirements
The 2023 amendments to the NYDFS regulations extend notification requirements to incidents involving affiliates and third-party service providers. Organizations must assess whether these entities were affected by the cybersecurity incident and ensure compliance accordingly.
7. Effective Communication
Communicating about a cyber breach is a sensitive yet necessary task. Companies must develop a clear messaging strategy for both customers and employees. A case in point is 23andMe, which faced backlash for its delayed and incomplete communication regarding a breach affecting millions of users. The importance of timely and transparent communication cannot be overstated, as it can significantly impact public perception and trust.
Looking Ahead: Compliance as a Continuous Process
As New York’s cybersecurity regulations evolve, companies must proactively adapt their compliance strategies. The NYDFS has already imposed significant fines on entities for non-compliance, and similar regulatory bodies across the country are likely to follow suit. By planning ahead and thoroughly reviewing cybersecurity, incident response, and disaster recovery plans, organizations can position themselves to meet these challenges head-on.
In conclusion, the landscape of cybersecurity regulations is ever-changing, and the stakes are high. As cyber threats continue to escalate, financial institutions must prioritize their preparedness and compliance efforts. Are you ready to navigate the complexities of New York’s cybersecurity regulations?
Author Information
Brian Montgomery is a partner at Pillsbury and a former NYDFS deputy superintendent.
Mark Krotoski is a partner at Pillsbury and a former national coordinator for the Computer Hacking and Intellectual Property Program at the Department of Justice.
This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law and Bloomberg Tax, or its owners.