Third Party Risk Management

New York State Department of Financial Services Announces Further Cybersecurity Regulations

The New York State Department of Financial Services has been actively working on proposed updates to their Cybersecurity Requirements for Financial Services Companies.

Dating back to August 2017, the NYDFS has steadily increased and matured regulations: protection of consumers non-public data, documented and board approved policies, and authority notification timelines for when an incident has occurred are samples of a few NYDFS demands. Much of this proposal mirrors the SEC cybersecurity regulations.

Institutions regulated by the NYDFS are required to follow the updated regulations. The maturing of the NYDFS regulations clearly reflect a response to the ever increasing and complex threat landscape. The agency noted that from January 2020 and May 2021, 74 ransomware attacks were reported, some causing days-long shutdowns.

What’s new?

  • 24-hour notification of a ransomware payment and within 30 days why a payment was necessary and were alternative explored?
  • 72-hour notification of a cybersecurity event, including third parties that provide services to the institution. This is an existing requirement that bears repeating as it encompasses third parties.
  • Annual pen testing and risk assessments.
  • Enhanced cybersecurity policies and security measures.
  • Additional governance and board oversight requirements.
  • Class A companies (the largest financial services institutions) need to execute
    • independent, annual cybersecurity audits
    • monitor privileged access
    • utilize an external expert to perform a risk assessment every 36 months

While these regulations are still proposals, it’s fair to say that financial institutions and third parties servicing financial institutions can count on higher demands.

To learn more or continue this conversation, please contact Fortrex Technologies for a no-obligation meeting.