In December 2023, the New York Department of Financial Services (NY DFS) issued amendments to the cybersecurity requirements, originally adopted in 2017, which include expanded control requirements and stricter reporting mandates. The main objectives of these cybersecurity requirements are to:
- Enhance the security and resilience of financial services entities against cyber threats.
- Ensure the confidentiality, integrity, and availability of information systems and nonpublic information.
- Foster a culture of cybersecurity awareness and compliance within the financial services sector.
As part of the amendment, a new category of entities was identified, Class A companies: Class A companies are defined as companies with:
- At least $20 million in gross annual revenue from New York business operations in each of the last two fiscal years
- More than 2,000 employees on average over the last two fiscal years, including affiliates, regardless of location
- More than $1 billion in gross annual revenue from all business operations in all states over the last two fiscal years
While the core enhancements apply to all companies, Class A companies are subject to more robust control requirements due to their larger size and resources available to them.
So what now? If you were already meeting the NY DFS cybersecurity requirements, then you are off to a great start! It is important to assess your program to and ensure your existing controls meet the enhanced specifications of the new publication. If not, there is time to address gaps! There are a number of new timelines identified to ensure compliance with the amended requirements. Below are the key deadlines published by the NY DFS:
- December 1, 2023: Entities must notify DFS of cybersecurity events that are reported to other authorities or that could materially harm any part of normal operations. This includes incidents involving ransomware and any associated ransom payments.
- April 15, 2024: Entities are required to submit either a Certification of Material Compliance or Acknowledgment of Noncompliance for the 2023 calendar year, with signatures from the highest-ranking executive and the chief information security officer (CISO).
- April 29, 2024:
- Risk assessments must be reviewed and updated annually or upon significant changes in business or technology that affect cyber risk.
- Cybersecurity policies must undergo an annual review and approval by senior governing bodies or senior officers, with documented procedures to address areas such as data retention, remote access controls, security awareness, and incident notification, among others.
- Annual penetration testing and vulnerability management processes must be conducted, with an emphasis on prioritizing and remedying vulnerabilities based on risk.
- Cybersecurity awareness training is to include social engineering and be provided annually.
- November 1, 2024:
- The CISO’s written report must now include plans for remedying material inadequacies and report significant cybersecurity events or changes to the cybersecurity program to senior governing bodies or senior officers.
- An updated written information security policy must include encryption requirements.
- Incident response and business continuity plans must be updated, tested, and maintained according to specified requirements.
- May 1, 2025:
- Automated and manual scans to discover and analyze vulnerabilities must be conducted at a frequency determined by risk assessments.
- Enhanced requirements for limiting user access privileges and implementing a reasonable written password policy are to be put in place.
- November 1, 2025:
- Multi-factor authentication is required for all individuals accessing information systems, with an annual review of any approved compensating controls.
- Written policies and procedures to maintain a complete and accurate asset inventory of information systems must be implemented.
Though the DFS cybersecurity requirements have been in place for the better part of a decade, these new enhancements provide both stricter control requirements and more guidance on how to meet the regulation. Ankura has worked with organizations to assess compliance and implement controls to meet the DFS standards since 2016. Contact us to learn more about our work and how we can support your team.
© Copyright 2024. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.