New York Cybersecurity Regulation: Upcoming Changes and Their Broader Implications

As of November 1, 2024, financial services companies regulated by the New York Department of Financial Services (NYDFS) will face new requirements concerning cybersecurity governance, encryption, and incident response. These updated standards not only aim to enhance the security posture of financial institutions but also serve as a valuable framework for organizations across various sectors to bolster their data security programs. In an era where cyber threats are increasingly sophisticated, a robust cybersecurity strategy is not just a regulatory necessity but a strategic investment that can significantly reduce the risk of security breaches and the associated legal repercussions.

Understanding the New York Cybersecurity Regulation

The New York Cybersecurity Regulation, codified at N.Y. Comp. Codes R. & Regs. tit. 23, § 500.0, was first enacted in 2017. Its primary goal was to compel banks, lenders, insurance carriers, and other financial institutions to evaluate their cybersecurity measures and protect consumer information from unauthorized access. The regulation specifically mandates the safeguarding of "non-public information," which includes sensitive data that could be exploited by cybercriminals.

The initial version of the regulation included essential baseline standards, such as the establishment of a comprehensive cybersecurity program, the implementation of written policies and procedures, conducting regular risk assessments and independent audits, and appointing a Chief Information Security Officer (CISO). These foundational elements were designed to create a culture of cybersecurity awareness and responsibility within financial institutions.

Key Updates Effective November 2024

In response to the evolving landscape of cyber threats, the NYDFS has amended the Cybersecurity Regulation once again, with several critical changes set to take effect on November 1, 2024. These updates include:

1. Enhanced Cybersecurity Governance: The new standards require CISOs to promptly report cybersecurity issues to senior management or governing bodies within their organizations. This change emphasizes the importance of timely communication and accountability in managing cybersecurity risks.

2. Mandatory Encryption Policies: All covered entities must implement a written policy mandating the encryption of non-public information. The encryption must adhere to industry standards, and organizations will no longer be allowed to rely on alternative controls for protecting non-public information during transit. This requirement underscores the necessity of robust encryption practices in safeguarding sensitive data.

3. Regular Testing of Incident Response Plans: Organizations must update and test their security incident response plans at least annually. Additionally, they are required to train employees on these plans, as well as on business continuity and disaster response strategies. Regular testing of data backups and revising policies based on these tests are also mandated, ensuring that organizations are well-prepared to respond to potential security incidents.

Special Provisions for Small Businesses

The November 2024 amendments also introduce specific requirements for small businesses, which are exempt from some provisions of the Cybersecurity Regulation. By the deadline, small businesses must:

• Implement multi-factor authentication for any remote access to information systems.
• Provide annual cybersecurity training for employees, covering critical topics such as social engineering, phishing, email compromises, and emerging threats enhanced by artificial intelligence, including deepfake technology.

These provisions aim to ensure that even smaller entities maintain a baseline level of cybersecurity awareness and preparedness.

Broader Implications for Data Security

The November 2024 updates to the New York Cybersecurity Regulation are more prescriptive than what is typically seen in data security standards. As organizations across various industries grapple with the increasing frequency and sophistication of cyberattacks, these regulations may serve as a model for other highly regulated sectors to adopt similar standards.

Implementing a strong cybersecurity program not only helps organizations comply with regulations but also offers a significant return on investment. By proactively addressing cybersecurity risks, organizations can reduce the likelihood of successful security events and mitigate the growing trend of security-related lawsuits.

Conclusion

The upcoming changes to the New York Cybersecurity Regulation represent a significant step forward in the ongoing battle against cyber threats. By establishing clear requirements for cybersecurity governance, encryption, and incident response, the NYDFS is setting a high standard for financial services companies and providing a valuable blueprint for organizations across all sectors.

For those seeking guidance on the New York Cybersecurity Regulations or other industry-specific privacy and security requirements, consulting with a knowledgeable attorney can provide clarity and direction. If you have questions or need assistance, please reach out to your Quarles privacy attorney or contact:

• Meghan O’Connor: (414) 277-5423 / meghan.oconnor@quarles.com
• Kaitlyn Fydenkevez: (202) 780-2642 / kaitlyn.fydenkevez@quarles.com

In an age where data breaches can have devastating consequences, investing in a robust cybersecurity framework is not just prudent—it’s essential for safeguarding your organization’s future.