In brief
New York banks, lenders, companies, and service providers should note that on November 1, 2024, the amendments to the New York Department of Financial Services’ (“NYDFS’“) cybersecurity regulations took effect. The amendments widened the scope of “covered entities” to include any licensed financial institution company operating in New York regardless of whether it is already regulated by other government agencies. Additionally, the amendments require the regulated entities to significantly increase their proactive and reactive breach readiness.
In depth
The NYDFS supervises and regulates the activities of more than 3,000 financial institutions with assets totaling more than $9.7 trillion as of Dec. 31, 2023. The Department regulated more than 1,900 insurance companies with assets of more than $6.4 trillion and more than 1,300 banking and other financial institutions with assets totaling more than $3.3 trillion. The financial services sector is an important part of the nationâs critical infrastructure and a target for cyber-attacks.
To protect businesses and consumers alike, NYDFS became the first state to enact detailed cybersecurity regulations in 2017. NYDFS’ cybersecurity regulations impose proscriptive technical and administrative standards and controls to secure sensitive data. This approach requires businesses to holistically integrate cybersecurity into business planning, decision-making, and ongoing risk management.
NYDFS regularly updates its cybersecurity regulations as threats evolve. Last November 2023, NYDFS amended its cybersecurity regulations to mandate cyber governance. Effective November 1, 2023, NYDFS revised its cybersecurity requirements again:
- Exemptions: Companies that have fewer than twenty employees with less than $7,500,000 in gross annual revenue in each of the last three fiscal years or less than $15,000,000 in year-end total assets are now exempted. This is an increased threshold exemption as previously, only companies that had 10 or fewer employees, less than $5,000,000 in gross annual revenue or less than $10,000,000 in year-end total assets were exempted.
- Increased Responsibility: Companies’ senior governing body must now have sufficient understanding of cybersecurity-related matters to effectively oversee cybersecurity-related manners. Additionally, the senior governing body must also oversee the implementation of an effective cybersecurity program and ensure management has allocated enough resources to the company’s cybersecurity program. The companyâs Chief Information Security Officer (“CISO“) is also required to now make timely reports of material cybersecurity issues to the senior governing body and provide plans for remediating material inadequacies in its annual CISO report.
- Proactive Plans: The new amendments still require companies to establish and implement an incident response plan. However, now, companies must make their incident response plan proactive instead of just reactive. Proactive measurers include addressing: 1) the goals of the incident response plan; 2) the internal process for responding to a cybersecurity event; 3) preparation of root cause analysis describing how and why the event occurred, what business impact it had, and what will be done to prevent reoccurrence; and 4) updating the incident response plans as necessary. Additionally, companies must have a business continuity and disaster recovery plan.
- Encryption: Companies are now required to encrypt all nonpublic information being moved to external systems in compliance with industry standard encryption policy rather than simply providing encrypted data was an exempted data category.
Key Takeaways
Federal and state financial regulators have consistently modeled their regulations after the NYDFS’ cybersecurity regulations. We continue to track the global mandates for companies’ to implement proactive and reactive cybersecurity measures.
Companies, especially those in critical infrastructure such as financial entities, are encouraged to review their cybersecurity and data governance programs to ensure that: 1) its policies and procedures are both proactive and reactive; 2) all plans are customized to the company’s needs and specific compliance requirements; and 3) customized trainings and education for all stakeholders, including senior leadership, is offered to help identify and mitigate cyber risk.
If you have any questions regarding strengthening or tailoring your company’s cybersecurity and data governance program, please contact your Baker McKenzie attorney or the authors below.
