New York State Expands Cybersecurity Rules

In November, the New York State Department of Financial Services released cybersecurity regulations that amend the state’s 2017 cybersecurity regulations. Key changes include:

• Governance requirements including the appointment of a chief information security officer with prescribed duties and the requirement for certain companies to audit their cybersecurity policy annually;
• Increased regular risk and vulnerability assessments and more robust incident response, business continuity, and disaster recovery planning;
• New notification requirement to report ransomware payments within 24 hours of a ransom being paid; and,
• Entities are directed to invest in at least annual training and cybersecurity awareness programs relevant to an entity’s business model and personnel.

The Amended Regulations apply to any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the New York Banking Law, Insurance Law, or Financial Services Law. Those entities will be required to comply with the updated regulations by April 2024, although certain requirements will take effect sooner.

Click here to read the amendments to the New York State Cybersecurity Requirements for Financial Services Companies.
Click here to read an ACA Cyber Alert on the developments in New York State.