A Closer Look at Recent Changes to New York State Department of Financial Services (NYSDFS) Cybersecurity Regulation


By Christopher Salone, Consulting Manager at FoxPointe Solutions

Most changes to The New York State Department of Financial Services (NYSDFS) Cybersecurity Regulation, 23 NYCRR Part 500, introduced November 2023, have been assigned a compliance date of April 29, 2024. As this deadline fast approaches, the clock is ticking for financial institutions subject to regulation by NYSDFS to make the necessary operational changes to remain compliant and avoid penalties.

This new body of requirements is especially important to thoroughly evaluate ahead of this deadline because it includes critical redefinitions of terms and standards that continue to cause challenges and confusion for financial leaders six months post-introduction of the guidance. Of course, the first step to remaining compliant is to make sure you understand the complex requirements of each guideline.

Below, please find a breakdown of the new expectations included in the regulation that you must adhere to in order to avoid penalties come May.

Expanded Scope

Gone are the days that just banks and insurers have to worry about building a compliant cybersecurity program. This new regulation has expanded the scope of applicability to include financial institutions of any size and third-party service providers.

New terms and classifications have also been introduced that extend regulatory events to new events and entities. For example, cybersecurity “event” and “incident” now have their own categories. A cybersecurity event is any act or attempt, whether successful or not, to disrupt an information system, while an incident is now defined as a cybersecurity event that has occurred at the covered entity, its affiliates, or a third-party service provider that may result in ransomware, material harm, or the need to notify a government body or regulatory agency.

Program and Policy Changes

Financial institutions must now not only conduct independent audits of its cybersecurity program, but also make all documentation of these audits available to the superintendent upon request. Furthermore, these documents must include “relevant and applicable provisions of a cybersecurity program maintained by an affiliate and adopted by the covered entity.”

There is also more oversight now required of corporate cybersecurity policies. Under the new governance, financial institutions must now have their policies approved annually by the senior officer or senior governing body that oversees their compliance, and all procedures must be well-documented in accordance with the approved policy.

For those working to build out their policies, regulations now recommend that all policies include procedures for cybersecurity factors like data retention, end of life management, remote access, and more.

Governance Expectations

New regulations seek to formalize oversight of cybersecurity programs going forward. Financial institutions must now appoint a Chief Information Security Officer (CISO) to present cyber plans, issues, and changes to the Board. The CISO should also be heavily involved in annual reporting, including eradicating any material inadequacies.

Vulnerability Management

Clear and comprehensive policies and procedures regarding vulnerability management must now be documented. These should include preventative procedures like internal and external penetration testing, frequent system scans for vulnerabilities, and timely addressing of those vulnerabilities once identified by security controls planned or in place. These assessments must be updated annually, or whenever there is a change to the business or its utilized technology that impacts the institution’s risk.

Data Protections

Speaking of preventative measures, the new regulation is more specific about the kinds of basic security measures required of all financial institutions. For example, access privileges must be strictly enforced, with certain data considered “privileged” based on security risk. Privileged information should be safeguarded with password protection or user access permits that are evaluated and updated annually or when there is a personnel departure.

Multi-factor authentication is another expectation that even covers those technically “exempt” from the new regulations. This standard should be applied to all privileged data, as well as in cases of remote access to the entity’s own information systems or that of third-party applications. Encryption is another tool deemed acceptable and recommended by regulatory bodies.

Incident Response

Unfortunately, even the best laid plans can fail, especially in the everchanging digital world we now live in. Due to this, 23 NYCRR Part 500 lays out clear expectations on how entities must prepare and respond to a cybersecurity event or incident. Under the new guidance, financial institutions are required to develop thorough, documented response plans that highlight goals, root cause analysis procedures, and internal processes to follow in the event of a cyber breach. Disaster recovery and business continuity plans should also include data backup procedures and recovery approaches, and once finalized, be distributed to all employees and tested regularly.

After a breach occurs, entities are required to notify the New York State Department of Financial Services within 72 hours – or 24 hours in cases of extortion payments – providing all relevant and requested documentation. Entities, and more specifically, the CISO, must also proactively provide written acknowledgment if they did NOT comply with regulatory requirements regarding the incident, and share a remediation plan.

Monitoring and Training

Human error poses the biggest risk to not only the cybersecurity of an entity, but in the maintenance of compliance. To avoid the consequences of human error, financial institutions must take necessary steps to block malicious content on devices, monitor web traffic, and implement other risk-based controls.

Additionally, cybersecurity training should be conducted annually and during onboarding, and employees should be regularly tested via phishing demonstrations.

These regulatory changes, and many others, have significantly raised the bar for cybersecurity in the financial sector and have demanded increased investments in technology and manpower. If you haven’t already, take care in taking the proper action before April 29 to ensure you’re well prepared to avoid risks of noncompliance penalties.

About the Author

Christopher Salone, CISA, MBA, CCSFP is a Consulting Manager and Financial Services Practice Leader of FoxPointe Solutions, the Information Risk Management Division of The Bonadio Group. His work focuses on internal and external auditing of information technology and information security practices and controls, providing services to clients across multiple industries, including public and private companies, financial institutions, healthcare organizations, tech companies, and school districts. He conducts audits in accordance with regulatory compliance standards. Christopher can be reached online at [email protected] and at the FoxPointe Solutions website: http://www.foxpointesolutions.com.



Source link