DFS proposes updated cybersecurity rule for financial services in New York

More vulnerability management and security practices in proposed rule amendments.

The New York State Department of Financial Services (DFS) has proposed updated cybersecurity regulation in order to address the increasing number of cyber threats as well as their severity, and to implement some best practice to protect consumers and businesses. As we reported earlier, the US is the country suffering most from ransomware attacks and New York companies were some of those targeted most frequently.

“With cyber-attacks on the rise, it is critical that our regulation keeps pace with new threats and technology purpose-built to steal data or inflict harm,” said Superintendent Adrienne A Harris. 

This updated cyber rule would apply to businesses that sell financial services in the state of New York, such as banks, insurance firms, cryptocurrency startups, plus non-financial companies that offer those services to New York residents.

“Cyber criminals go after all types of companies, big and small, across industries, which is why all of our regulated entities must comply with these standards – whether a bank, virtual currency company, or a health insurance company.”  

Adrienne A Harris, Superintendent, NY DFS

Risk and vulnerability assessments

DFS’s original regulation, which was promulgated in 2017, is now used by both federal and state financial regulators. The proposed changes strengthen the Department’s risk-based approach to ensure that cybersecurity risk is integrated into businesses planning, decision-making, and ongoing risk management, including:   

  • the creation of three tiers of companies, further tailoring the regulation to a diverse set of businesses with different defensive needs;       
  • enhanced governance requirements, thereby increasing accountability for cybersecurity at the Board and C-Suite levels;   
  • additional controls to prevent initial unauthorized access to technology systems and to prevent or mitigate the spread of an attack;   
  • requirements for more regular risk and vulnerability assessments, as well as more robust incident response, business continuity and disaster recovery planning; and   
  • direction for companies to invest in regular training and cybersecurity awareness programs that are relevant to their business model and personnel.   

Company classification

Athree tiered classification structure is propsed, which would group covered business depending on size and which would make small companies exempt from some parts of the cybersecurity rule.

Only the largest companies, labelled ‘Class A companies’, would be subject to all parts. A Class A company would be defined as any business whose New York operations generate more than $20m in annual revenue for the prior two fiscal years, and either:

  • had 2,000 or more employees averaged over the last two fiscal years, with no regards to where those are located; or
  • had more than $1bn in annual revenue for the last two fiscal years across all operations.

More reports from CISO

Other changes include more responsibilities and reporting duties for Chief information security officers (CISO). With the new changes, the CISO must have adequate authority “to ensure cybersecurity risks are appropriately managed, including the ability to direct sufficient resources to implement and maintain a cybersecurity program”.

They would also need to make more reports to senior management, some of which the current rule already requires. However, under the amended rule, these reports would need to include details on how the CISO plans to remediate any material weaknesses in their security programs. Other required reports would tackle any ‘material cybersecurity issue’ or instances when the business updates its cybersecurity risk assessment.

Data destruction policy

Besides the CISO reports, companies will also need to adopt written policies and procedures “designed to ensure a complete, accurate and documented [IT] asset inventory.” These will need to include a method for tracking important information about each IT asset, including location, owner, support expiration date, and classification or sensitivity of data.

A written policy for the disposal and destruction of nonpublic information that’s “no longer necessary for business operations or for other legitimate business purposes” will be required too. Poor data destruction has been identified in recent enforcement actions, with data breaches exposed at EyeMed and when Morgan Stanley left data on devices which were sold to third parties.

Required testing

The proposed rule will also require penetration tests each year, which must be done from both inside and outside the company’s IT systems. It will be necessary to document all discovered material issues, and report the results to senior management. A monitoring process will also be essential to assure that the cybersecurity team is instantly informed of new security vulnerabilities.

The rule amendments would also require a more expansive use of multi-factor authentication for:

  • remote access to the covered entity’s information systems; 
  • remote access to third-party applications that contain or process nonpublic information; and 
  • all privileged accounts.

“Cyber criminals go after all types of companies, big and small, across industries, which is why all of our regulated entities must comply with these standards – whether a bank, virtual currency company, or a health insurance company.”  

The proposed changes are open for discussion for 60 days, after that, the DFS will all review all comments and either repropose a revised version or adopt the final regulation.  Read the full proposed amended regulation on the DFS website.