Quick Hits: Navigating the Amended NYDFS Cybersecurity Regulations
As the digital landscape evolves, so too do the regulations governing cybersecurity, particularly for financial services and other covered entities. The New York Department of Financial Services (NYDFS) has been at the forefront of this evolution, enacting comprehensive cybersecurity regulations that are set to undergo significant amendments. With certain requirements taking effect on November 1, 2024, it is crucial for covered entities to prepare adequately. This article delves into the key aspects of these amendments, the implications for covered entities, and the necessary steps to ensure compliance.
A Brief History of NYDFS Cybersecurity Regulations
The NYDFS first introduced its cybersecurity regulations on March 1, 2017, establishing a framework aimed at protecting sensitive financial information from cyber threats. These regulations have been periodically updated to address the ever-changing cybersecurity landscape. The most recent amendments, effective November 1, 2023, introduce a series of rolling effective dates, with several provisions set to take effect on November 1, 2024, and additional requirements scheduled for 2025.
Understanding Covered Entities
The amended cybersecurity regulations apply to a wide range of covered entities regulated by the NYDFS. This includes financial institutions, insurance companies, banks, mortgage lenders, and various other financial service providers. Notably, the regulations differentiate between large companies, classified as Class A, which face additional requirements, and smaller businesses that may be exempt from certain regulations. Understanding these classifications is essential for compliance.
Key Regulations Effective November 1, 2024
As the deadline approaches, nonexempt covered entities, particularly Class A companies, must take proactive steps to align their policies and procedures with the amended regulations. Here are some critical areas to focus on:
1. Corporate Governance
Covered entities must enhance their corporate governance structures. This includes ensuring that the Chief Information Security Officer (CISO) reports timely to the senior governing body on material cybersecurity issues. Regular oversight of cybersecurity risk management is essential, necessitating that the governing body possesses a sufficient understanding of cybersecurity matters.
2. Encryption Policies
Implementing a written encryption policy that meets industry standards is now a requirement. This policy should protect nonpublic information, with the possibility of using alternative compensating controls for information at rest, provided they receive written approval from the CISO.
3. Incident Response Plans
Updating incident response plans is critical. These plans should detail the internal processes for responding to cybersecurity events, including recovery from backups and conducting root cause analyses post-incident. A well-defined incident response plan is vital for minimizing damage and ensuring a swift recovery.
4. Business Continuity and Disaster Recovery
Covered entities must establish comprehensive business continuity and disaster recovery plans. These plans should meet specified requirements and include maintaining backups necessary to restore material operations. Regular testing of these plans is essential to ensure effectiveness.
5. Employee Training
Training employees responsible for implementing incident response and disaster recovery plans is crucial. Employees must understand their roles and responsibilities to respond effectively during a cybersecurity incident.
6. Regular Testing
Finally, covered entities should conduct annual testing of their incident response plans, disaster recovery plans, and backup systems. This testing is vital to identify weaknesses and ensure preparedness for potential cybersecurity threats.
Next Steps for Compliance
With the November 1, 2024 deadline approaching, it is imperative for companies regulated by the NYDFS to review their cybersecurity policies, practices, and training. This review should ensure compliance with the amended regulations and prepare for additional requirements set to take effect on May 1, 2025, and November 1, 2025.
Covered entities should also consider reviewing the amended cybersecurity regulations to determine if they qualify for any exemptions and to familiarize themselves with the complete list of applicable requirements.
Conclusion
As the cybersecurity landscape continues to evolve, so too must the strategies employed by covered entities to protect sensitive information. The amended NYDFS cybersecurity regulations present both challenges and opportunities for financial services companies. By proactively updating policies and procedures, enhancing corporate governance, and ensuring employee training, covered entities can navigate these changes effectively and safeguard their operations against cyber threats.
For ongoing updates and insights into the evolving cybersecurity landscape, companies can follow Ogletree Deakins’ Buffalo and New York offices, which will continue to monitor developments and provide timely information through their Cybersecurity and Privacy blogs.
Authors:
Jeffrey D. Coren, Of Counsel, Ogletree Deakins’ Buffalo Office
Leah J. Shepherd, Writer, Ogletree Deakins’ Washington, D.C. Office
Follow and Subscribe:
LinkedIn | Instagram | Webinars | Podcasts