Earlier this month, Superintendent of Financial Services Adrienne A. Harris announced that the New York State Department of Financial Services (DFS) proposed an updated cybersecurity regulation.
DFS’s original regulation was promulgated in 2017 and was intended to establish a regulatory model, which has since been used by both federal and state financial regulators. Initially, the updates were released as drafts, yet the formal announcement initiates the 60-day comment period. This means that companies have 60 days to submit comments, after which NYDFS will either introduce a revised version or adopt the final regulation.
Growing Need for Updated Legislation
“With cyber-attacks on the rise, it is critical that our regulation keeps pace with new threats and technology purpose-built to steal data or inflict harm,” said Superintendent Harris, while also pointing out that cybercriminals target all kinds of companies, across industries, hence the urgent need for proper regulations being set in place.
DFS has applied a data-driven approach to amending the existing regulation to ensure that all involved entities address new and increasing cybersecurity threats effectively, as well as implement the best practices to protect their consumers and businesses.
The amendments are meant to strengthen the DFS risk-based approach and ensure cybersecurity risk is integrated into business planning, decision-making, and ongoing risk management.
Proposed Changes
Some examples of the new regulations found in the DFS`s press release refer to:
- The creation of three tiers of companies, thus tailoring the regulation to a diverse set of businesses with different defensive needs. In addition, based on feedback from the industry and in recognition of the realities of operating a small business, the proposed amendment increases the size threshold of smaller companies that are exempt from many parts of the regulation.
- Enhanced governance requirements, thereby increasing accountability for cybersecurity at the Board and C-Suite levels.
- Additional controls, aimed to prevent initial unauthorized access to technology systems and to prevent or mitigate the spread of an attack.
- Requiring more regular risk and vulnerability assessments, as well as more robust incident response, business continuity and disaster recovery planning.
- Directing companies to invest in regular training and cybersecurity awareness programs that are relevant to their business model and personnel.
Over the course of the past few months, DFS has sought feedback on these amendments from other regulators, as well as industry groups and intended entities, through the recent Cybersecurity Symposium, industry conferences, and meetings.
DFS looks forward to and appreciates receiving feedback on the proposed amended regulation during the 60 days period. A copy of the amendment can be reviewed on the DFS website.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.