New York DFS Updates Cybersecurity Rules for Regulated Entities

Liisa M. Thomas

Email

312-499-6335

Bio and Articles

Charles Glover

Email

212.896.0679

Bio and Articles

Find Your Next Job !

Litigation Paralegal
Greenberg Traurig, LLP

Trusts & Estates Attorney / Estate Planning Lawyer
On Balance Search Consultants

Commercial Real Estate Transactional Attorney / Real Estate Lawyer
On Balance Search Consultants

Legal Support Specialist
Greenberg Traurig, LLP

Litigation Legal Support Specialist
Greenberg Traurig, LLP

Trusts & Estates Partner / Senior Attorney
On Balance Search Consultants

Chief Operating Officer / Business Manager
On Balance Search Consultants

Explore More Job Openings

Amendments to NYDFS’ Cybersecurity Regulations Take Effect November 1

by: Liisa M. Thomas, Charles Glover of Sheppard, Mullin, Richter & Hampton LLP - Eye On Privacy

Monday, October 28, 2024

Print Mail Download info_icon_img

/>i

The New York Department of Financial Services has modified its cybersecurity requirements for regulated entities. These requirements are in addition to those included in the regulations as last updated in November of last year. The new requirements go into effect November 1, 2024. They modify several parts of the rule, including:

CISOs reporting requirements: Under the current regulations, CISO must report on cybersecurity to the company’s leadership. The revised regulations now require the report to include information about remediation plans. Separate from the annual report, the CISO will also need to report any material cybersecurity issues (like a breach) to senior officers.
New responsibilities for the senior governing body: As revised, the regulations emphasize that the regulated entities’ senior governing body is responsible for overseeing cybersecurity risk management. This includes understanding cybersecurity-related concepts. Senior leadership’s obligations also include reviewing management reports about cybersecurity matters. And confirming that the company has devoted enough resources to implement an effective cybersecurity program.
Encrypt all nonpublic information: The new amendments removed an exception for encrypting data that is in transit. Now, companies need to encrypt all nonpublic information being moved to external systems.
Update the incident response plan: As amended, the regulations call for different content in regulated entities’ incident response plan. This includes processes for responding to a cybersecurity event and how to recover from systems backups. IRPs will also need to have provisions for conducting root cause analyses of incidents.
Business continuity and disaster recovery plan: As amended, the regulations clarify the requirements for disaster recovery plans. Among other things, the plans need to be in writing and identify all things necessary to continue operations during a cyber-related event. Provisions also need to be in place to train employees who implement both IRPs and the recovery plans.
New categories for exempted companies: As revised, businesses with fewer than twenty employees or less than $7,500,000 in annual revenue over the past three years are afforded certain exemptions. This increases the previous 10 employee and $5,000,000 exemption levels. Businesses with less than $15,000,000 (instead of $10,000,000) in year-end total assets are exempt as well.

Putting it into Practice: Modifying its cybersecurity regulations may become a November tradition for NYDFS. Companies covered by the regulation should keep in mind these new obligations, especially on reporting and internal plans, when reviewing their cybersecurity programs.