New York’s Cybersecurity Regulation: Strengthening Financial Services Against Breaches

As of November 1, 2023, New York’s Department of Financial Services (DFS) is rolling out significant amendments to its Cybersecurity Regulation, aimed at enhancing the resilience of licensed financial services companies against cyber threats. These new requirements are designed to bolster breach readiness and improve recovery capabilities, ensuring that covered entities are better equipped to handle potential cybersecurity incidents.

A Brief History of Cybersecurity Regulation in New York

Since its inception in 2017, New York’s Cybersecurity Regulation has mandated that licensed financial services companies maintain written incident response plans. These plans are critical for outlining how organizations will respond to and recover from cybersecurity incidents. However, the recent amendments introduced a more detailed framework, requiring companies to address specific areas in their incident response strategies.

Key Areas of Focus in the New Amendments

Beginning November 1, covered entities must enhance their incident response plans to include the following critical components:

1. Recovery from Backups: Companies must detail how they will recover from backups if critical data is compromised. This includes specifying the processes and technologies employed to ensure data integrity and availability.

2. Root Cause Analysis: Organizations are now required to prepare a thorough analysis that explains how and why a cybersecurity event occurred, its business impact, and the measures taken to prevent future occurrences. This proactive approach aims to foster a culture of continuous improvement in cybersecurity practices.

3. Updating Incident Response Plans: Companies must regularly review and update their incident response plans to reflect changes in their operational environment and emerging threats.

The Importance of Backup Systems

The emphasis on backup systems is particularly noteworthy. Covered entities must now maintain backups that are essential for restoring material operations, ensuring these backups are adequately protected from unauthorized alterations or destruction. Furthermore, organizations are required to test their ability to restore critical data and information systems from backups at least once a year. This testing must be complemented by training for responsible employees on recovery procedures.

The rationale behind this focus is clear: the effectiveness of backup systems can be the deciding factor between a costly ransom payment and a seamless recovery from a ransomware attack. The DFS has consistently advised against paying ransoms, and these amendments are strategically designed to help organizations avoid such dilemmas by ensuring they have robust backup solutions in place.

Additional Requirements Taking Effect

In addition to the enhancements to incident response plans, several other critical requirements will come into effect:

Business Continuity and Disaster Recovery (BCDR) Plans

Covered entities must now maintain a written BCDR plan that ensures the availability and functionality of their information systems and services during cybersecurity-related disruptions. This plan must also protect personnel, assets, and nonpublic information.

Chief Information Security Officer (CISO) Mandate

The amendments require covered entities to appoint a Chief Information Security Officer (CISO) responsible for timely reporting material cybersecurity issues to the senior governing body. This includes significant cybersecurity events and changes to the cybersecurity program, ensuring that leadership is informed and engaged in cybersecurity risk management.

Oversight by Senior Governing Bodies

The senior governing body of each covered entity must actively oversee cybersecurity and risk management matters. This includes understanding cybersecurity-related issues and ensuring that executive management allocates sufficient resources to implement and maintain the cybersecurity program.

Encryption of Nonpublic Information

To protect sensitive data, covered entities must implement a written policy requiring encryption of nonpublic information both in transit and at rest. The CISO must review the feasibility and effectiveness of encryption measures at least annually.

Multi-Factor Authentication for Small Businesses

Previously exempt from multi-factor authentication (MFA) requirements, small businesses will now be required to implement MFA for remote access to information systems, third-party applications, and privileged accounts. This change underscores the importance of robust security measures across all business sizes.

Conclusion

The phased roll-out of New York’s Cybersecurity Regulation amendments marks a significant step forward in enhancing the cybersecurity posture of licensed financial services companies. By mandating comprehensive incident response plans, robust backup systems, and active oversight from leadership, the DFS is fostering a culture of preparedness and resilience. As cyber threats continue to evolve, these regulations will play a crucial role in safeguarding the integrity of the financial services sector and protecting sensitive consumer information. Organizations must take these requirements seriously, not only to comply with regulations but to ensure their long-term viability in an increasingly digital world.