Quick Hits: Understanding the Amended NYDFS Cybersecurity Regulations
As the digital landscape continues to evolve, so too does the need for robust cybersecurity measures, particularly within the financial services sector. The New York Department of Financial Services (NYDFS) has been at the forefront of this initiative, enacting comprehensive cybersecurity regulations that aim to protect sensitive information and maintain the integrity of financial systems. With the latest amendments set to take effect on November 1, 2024, it is crucial for covered entities to understand the implications and prepare accordingly.
A Brief History of NYDFS Cybersecurity Regulations
The NYDFS first introduced its cybersecurity regulations on March 1, 2017, establishing a framework for financial services companies and other regulated entities to safeguard their information systems. These regulations were recently amended on November 1, 2023, introducing a series of rolling effective dates, with some provisions set to take effect on November 1, 2024, and others in 2025. This ongoing evolution reflects the increasing sophistication of cyber threats and the need for organizations to adapt their cybersecurity strategies.
Who Are the Covered Entities?
The amended cybersecurity regulations apply to a wide range of covered entities regulated by the NYDFS. This includes financial institutions, insurance companies, insurance agents and brokers, banks, trusts, mortgage banks, mortgage brokers and lenders, money transmitters, check cashers, and other related companies. Notably, the regulations differentiate between large companies (Class A companies) that face additional requirements and smaller businesses that may be exempt from certain regulations.
Key Regulations Effective November 1, 2024
As the deadline approaches, nonexempt covered entities, particularly Class A companies, should prioritize the implementation of several key policies and procedures. Here are some critical steps to consider:
1. Corporate Governance Updates
Organizations must ensure that their corporate governance structures are robust enough to address cybersecurity risks. This includes having the Chief Information Security Officer (CISO) report to the senior governing body or senior officers on material cybersecurity issues, such as significant events or changes to the cybersecurity program.
2. Oversight of Cybersecurity Risk Management
The senior governing body must actively oversee cybersecurity risk management. This requires a sufficient understanding of cybersecurity-related matters to effectively exercise oversight and regularly review management reports on cybersecurity issues.
3. Encryption Policies
Covered entities are required to implement a written policy mandating encryption that meets industry standards to protect nonpublic information. If encryption is not feasible, effective alternative compensating controls must be approved in writing by the CISO.
4. Incident Response Plan Updates
Organizations must update their incident response plans to include comprehensive procedures for responding to cybersecurity events. This includes recovery from backups and conducting a root cause analysis following an incident.
5. Business Continuity and Disaster Recovery Plans
A robust business continuity and disaster recovery plan is essential. This plan must meet specified requirements and ensure that necessary backups are in place to restore material operations.
6. Employee Training
Training employees who are responsible for implementing the incident response and disaster recovery plans is critical. They must be well-versed in their roles and responsibilities to effectively respond to incidents.
7. Regular Testing of Plans
Covered entities should conduct annual testing of their incident response plans, disaster recovery plans, and backup systems to ensure they are effective and up to date.
Next Steps for Compliance
As the November 1, 2024 deadline approaches, companies regulated by the NYDFS should conduct a thorough review of their cybersecurity policies, practices, and training programs. It is essential to ensure compliance with the amended regulations, as additional requirements will also take effect on May 1, 2025, and November 1, 2025.
Covered entities may also want to review the amended cybersecurity regulations to determine if they qualify for any exemptions and to familiarize themselves with the complete list of applicable requirements.
Conclusion
The amended NYDFS cybersecurity regulations represent a significant step forward in the ongoing battle against cyber threats in the financial services sector. By understanding the requirements and taking proactive measures, covered entities can better protect themselves and their clients from potential cybersecurity risks. As the landscape continues to evolve, staying informed and prepared will be key to navigating the complexities of cybersecurity compliance.
For ongoing updates and insights, organizations can follow Ogletree Deakins’ Cybersecurity and Privacy blogs, as well as their New York developments.
Authors:
Jeffrey D. Coren, Of Counsel, Ogletree Deakins, Buffalo Office
Leah J. Shepherd, Writer, Ogletree Deakins, Washington, D.C. Office
Follow and Subscribe:
LinkedIn | Instagram | Webinars | Podcasts