Risk Management Lessons from New York's Cybersecurity Regulation

Fahad Diwan

|

October 8, 2024

In 2017, the New York Department of Financial Services (NYDFS) first introduced its landmark cybersecurity regulation, 23 NYCRR Part 500, which set new standards for financial institutions to safeguard their systems and protect sensitive information. In 2023, significant amendments were made to this regulation, making it even more comprehensive and stringent in response to the increasingly complex cyberthreat landscape. In fact, in its first enforcement action following the amendments, NYDFS fined Genesis Global Trading $8 million for noncompliance, highlighting the urgency of the regulatory updates and the potential consequences for failures to comply.

The NYDFS cybersecurity regulation was initially implemented to mitigate the growing risks of cyberthreats targeting financial institutions. The 2023 amendments build on the original framework, introducing more rigorous requirements that extend beyond the controls set by federal agencies like the SEC.

A wide range of entities licensed under New York's banking, insurance or financial services laws must now conduct detailed assessments of their cybersecurity risks and implement robust programs to manage these risks effectively. This includes large financial organizations and third-party service providers that access non-public information (NPI), such as Social Security numbers, health care records and other sensitive data that could significantly impact an organization if compromised. The regulation specifically targets those who handle sensitive financial data, ensuring that even organizations outside the direct regulatory scope, such as contractors and third-party vendors, adhere to strict cybersecurity standards.

Understanding the New Requirements of 23 NYCRR Part 500

Last year’s amendments introduced several key changes to strengthen regulated entities’ cybersecurity posture. The changes reflect the evolving nature of cyberthreats and the need for more proactive and comprehensive cybersecurity measures. These include:

  • Enhanced Governance: The amendments emphasize the importance of integrating cybersecurity into the organization’s broader governance framework. Covered entities must conduct independent audits of their cybersecurity programs, with Class A companies (those with substantial revenue and employee counts) facing even more stringent requirements. Audits are crucial for ensuring that cybersecurity measures are implemented, effective and aligned with the latest threat landscapes.
  • Risk Management: Entities are required to conduct more frequent risk assessments and document them to inform updates to their cybersecurity policies and procedures. These assessments should consider both internal and external threats, including the latest developments in cybercrime. For example, ransomware as a service has made it easier for threat actors to launch attacks, so regulators expect organizations to be taking subsequent steps to manage that specific threat.
  • Data Management: Organizations must maintain and regularly update a comprehensive asset inventory that includes all systems handling NPI, including details such as the system owner, location, classification and recovery time objectives. Additionally, the regulation mandates the secure disposal of data that is no longer necessary for business operations, which can help reduce the risk of data breaches involving outdated or irrelevant information.
  • Incident Response: Covered entities are required to have detailed incident response plans that include business continuity and disaster recovery protocols. Organizations must test these protocols annually to ensure they are effective during a cyber incident. The regulation also introduces stricter reporting requirements, including the obligation to notify NYDFS of significant cybersecurity incidents within 72 hours.

Special Obligations and Exemptions

The amendments introduce special obligations for a new category of entities known as “Class A companies” due to their size and complexity. To qualify as a Class A company, an entity must have at least $20 million in gross annual revenue from New York operations and more than 2,000 employees or over $1 billion in global revenue. These companies must conduct independent audits of their cybersecurity programs based on risk assessments, implement advanced endpoint detection and response solutions, and ensure that automated systems tightly control privileged access by blocking commonly used passwords.

The regulation designed the requirements for Class A companies to address the higher level of risk associated with larger, more complex organizations. Under the amendments, these entities must invest in more sophisticated cybersecurity infrastructure and processes, reflecting their greater exposure to potential cyberthreats.

While the regulation is comprehensive, it does allow for limited exemptions for smaller entities. Companies with fewer than 20 employees, less than $7.5 million in annual revenue, or less than $15 million in assets may qualify for these exemptions, which reduce some of the regulatory burden. However, even exempt entities must comply with core provisions such as cybersecurity awareness training, secure data disposal and the development of written cybersecurity policies.

Best Practices for Compliance

To achieve compliance with the NYDFS cybersecurity regulation, organizations must develop and maintain robust cybersecurity programs that address both current and emerging threats. The regulation provides a detailed framework for building these programs, emphasizing the importance of a proactive and comprehensive approach to cybersecurity. Some of the requirements include:

  • Policies and Procedures: At the core of any cybersecurity program are the policies and procedures that guide the organization’s approach to protecting information systems and NPI. These policies must cover a wide range of topics, including data governance, access control, incident response and vulnerability management. The regulation requires organizations to review and update these policies annually to ensure they remain effective despite evolving threats.
  • Training and Awareness: Regular cybersecurity training is required under the regulation, specifically with an emphasis on social engineering attacks. Organizations must train all employees at least annually, with additional training provided as needed based on the specific risks the organization faces. Comprehensive training is essential for building a security-conscious culture and ensuring that all employees know their role in protecting the organization's data and systems.
  • Documentation and Reporting: Covered entities must document their compliance efforts, including risk assessment results, incident response plans and cybersecurity policies. The documentation must be available for NYDFS to inspect at any time. Additionally, organizations must submit an annual compliance certification signed by the highest-ranking executive (typically the CEO) and the chief information security officer (CISO). The certification must be backed up with data and evidence demonstrating the entity’s material compliance with the regulation.

New York's updated cybersecurity regulation is more than just a set of rules—it is a blueprint for the future of cybersecurity in the financial services industry. As cyberthreats continue to evolve, organizations nationwide should considering the proactive, comprehensive approach to cybersecurity outlined in this regulation.

Fahad Diwan, JD, FIP, CIPP/M, CIPP/C, is the director of privacy and data governance products at Exterro.