Navigating New York’s Evolving Cybersecurity Regulations: What Businesses Need to Know
In an era where digital threats are becoming increasingly sophisticated, cybersecurity regulations are a moving target. The New York State Department of Financial Services (NYDFS) has taken significant steps to enhance its regulatory framework, particularly in light of the growing number of cyberattacks. As we approach the first anniversary of these new regulations, businesses must remain vigilant and proactive in their cybersecurity strategies.
The Regulatory Landscape
NYDFS oversees more than 3,000 financial institutions, including banks, insurance companies, and virtual currency firms, with assets exceeding $9.7 trillion. In November 2023, the department introduced updated cybersecurity regulations that build upon the 2017 framework. These amendments impose stricter requirements for reporting, incident response, and governance, particularly for large Class A firms. As these regulations are phased in, organizations must prepare for compliance to mitigate risks associated with cyber threats.
The Rising Threat of Cyberattacks
The urgency of these regulations is underscored by alarming statistics. According to the Director of National Intelligence, ransomware attacks surged by 74% globally in 2023 compared to the previous year. IBM’s 2024 report revealed that the average cost of a data breach rose to $4.88 million, marking a 10% increase—the highest since the pandemic. With such significant financial implications, businesses must develop robust response plans to address potential cybersecurity incidents.
Key Steps for Compliance
1. Assessing the Situation
In the event of a cyber incident, the first step is to determine whether to notify regulatory bodies such as NYDFS, the Securities and Exchange Commission (SEC), or the Federal Trade Commission (FTC). Under NYDFS regulations, notification is mandatory if the incident poses a "reasonable likelihood of materially harming" the organization or if ransomware has been deployed within its systems.
2. Notification Requirements
If your organization is regulated by NYDFS, you must notify affected individuals if their personally identifiable information (PII) has been compromised. All states have laws requiring such notifications, emphasizing the importance of prompt communication. Utilize the NYDFS portal to submit notifications and retain confirmation emails for your records. Additionally, consider other statutory and contractual obligations that may necessitate further notifications.
3. Timing is Critical
Timeliness in notification is crucial. NYDFS mandates that organizations notify them "as soon as possible, but in no event later than 72 hours" after determining a cybersecurity incident has occurred. Other regulators may have different timelines, so it’s essential to manage these varying deadlines effectively. For instance, if an extortion payment is made, notification must occur within 24 hours.
4. Restoring Security
Once a breach is identified, restoring security is paramount. This may involve disabling user accounts, installing patches, and changing passwords. Organizations must have a written incident response plan, as well as business continuity and disaster recovery strategies in place. Understanding the root cause of the incident is vital for preventing future occurrences.
Legal Protections and Insurance
Legal protections are essential during a cyber investigation. The attorney-client privilege can safeguard communications with legal counsel, while the work-product doctrine protects legal strategies in anticipation of litigation. Companies should also review their insurance policies to ensure adequate coverage for cybersecurity incidents, including crime and liability insurance.
Extending Notification Requirements
The 2023 amendments to NYDFS regulations extend notification requirements to incidents involving affiliates and third-party service providers. Organizations must assess whether a cybersecurity incident has impacted these additional entities, further complicating compliance efforts.
Effective Communication Strategies
Communicating about a cyber breach can be daunting but is critical for maintaining trust with customers and stakeholders. A recent example is 23andMe, which faced backlash for its delayed and incomplete notifications regarding a breach affecting millions of users. Developing a comprehensive public relations strategy to manage communications during a breach is essential.
Conclusion: Preparing for the Future
As NYDFS continues to refine its cybersecurity regulations, businesses must stay ahead of the curve by developing thorough compliance strategies. This includes reviewing cybersecurity measures, incident response plans, and disaster recovery protocols. Seeking legal guidance before a significant incident occurs can also provide invaluable support.
In a landscape where cyber threats are ever-evolving, preparation is key. Are you ready to navigate the complexities of New York’s cybersecurity regulations?
Author Information
Brian Montgomery is a partner at Pillsbury and a former NYDFS deputy superintendent. Mark Krotoski is a partner at Pillsbury and a former national coordinator for the Computer Hacking and Intellectual Property Program at the Department of Justice.
This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law and Bloomberg Tax, or its owners.