Responding to New York’s updated cybersecurity rule for financial institutions

Last month, the New York Department of Financial Services finalized updates to a cybersecurity rule governing financial institutions that do business in the state. Here’s what banks and other institutions must know about the updated rule and what they should do in light of the new requirements.

New requirements for financial institutions

The update to the original 2017 rule — finalized Nov. 1, with many provisions taking immediate effect — introduces more stringent cybersecurity requirements for financial institutions operating in New York State, consistent with the overall push by federal and state regulators in recent years to better safeguard consumer data.

Under the updated rule, NYDFS-regulated financial institutions must:

  • Enhance their cybersecurity governance. Under the original rule, CISOs or their equivalents were required to report to boards about cybersecurity programs and material risks annually; they must now also report annually on plans for addressing material issues and report in a timely manner significant cybersecurity events and changes to programs. Boards are also required to be more directly involved in cybersecurity risk management, and organizations are required to engage in tabletop exercises and other testing of incident response and disaster recovery programs annually while also completing annual cybersecurity risk assessments.

  • Apply various technical controls. Specifically, financial institutions are required under the updated rule to enact multifactor authentication and protections against malicious code, encrypt sensitive information in transit, limit user access privileges, implement written password policies. Covered entities must also engage in annual penetration testing and other scans for and analysis of vulnerabilities and maintain complete inventories of their information systems.

  • Engage in more rigorous incident response planning. Covered entities must now maintain written incident response plans “that contain proactive measures to investigate and mitigate cybersecurity and to ensure operational resilience.” Plans must also “enable prompt response to, and recovery from” material cybersecurity incidents.

  • Promptly notify NYDFS of material cybersecurity events. In addition to data breaches, ransomware events must now also be reported, with extortion payments requiring notification within 24 hours. Covered entities must also provide updates on material changes or newly available information after initial reporting

Notably, larger financial institutions, referred to under the rule as “Class A” companies, are subject to additional requirements. These are defined as financial institutions regulated by NYDFS with at least $20 million in annual revenue in gross revenue in each of the last two years from its operations in New York State and either 2,000 or more total employees or $1 billion in total global revenue from each of the last two years. Under the updated rule, Class A companies are required to:

  • Conduct independent audits of their cybersecurity programs annually (or more frequently).

  • More carefully managed access privileges, including monitoring privileged-access activity, implementing privileged access management solutions, and blocking commonly used passwords.

  • Implement endpoint detection and response solutions.

Next steps for financial institutions

The updated rule reflects the view of NYDFS and many other regulators that effective cyber risk management requires not only investment in technical controls but governance, starting at the top.

For some financial institutions, the new requirements will call for a new approach to cybersecurity and overall risk management, mandating significant investments of both time and capital. But organizations that have already committed to strong cyber hygiene and governance may find compliance with the updated rule to be relatively smooth.

Financial institutions regulated by NYDFS should:

  1. Update incident response plans to be in compliance with the rule.

  2. Determine if they fall under the definition of Class A companies and are thus subject to the additional requirements for those entities.

  3. Begin planning and budgeting for the new governance and reporting requirements.

Importantly, the NYDFS rule is in line with what cyber insurance underwriters have expected from policyholders for the last several renewal cycles. For financial institutions operating in New York, the updated rule should thus not be seen merely as a compliance requirement. Instead, it’s an opportunity to improve your standing with insurers and potentially secure more favorable terms and conditions.

New York’s rule change also comes at a time of greater cybersecurity and privacy scrutiny for all companies regardless of industry. Over the last several years, the privacy regulatory landscape has drastically changed, as highlighted by the Securities and Exchange Commission’s recently introduced more stringent notification requirements for public companies following cybersecurity events (opens a new window).

That means organizations should consider the broader opportunity to mature their cybersecurity hygiene, which will be important as regulators in other jurisdictions advance similar rules and financial institutions and others remain under pressure to protect consumer privacy.