Financial services

New York proposes changes to financial services cybersecurity regulations

New You can now listen to the Insurance Journal articles!

More smaller financial services firms will be exempted, rules will be adapted to reflect greater diversity in business, and senior executives of financial services firms will face increased liability under proposed changes to the regulatory model of New York Financial Services Cybersecurity.

The New York State Department of Financial Services (DFS) has proposed updating its original rulebook, which DFS promulgated in 2017. The updated rulebook will be open for comment for 60 days.

The settlement, which aims to protect New York’s financial services industry from the threat of a cyberattack, was the first of its kind in the United States. The regulation requires every company supervised by the New York DFS to assess its specific cybersecurity risk profile and implement a program that addresses those risks.

New York Cyber ​​Regulations Go Into Effect, Midsize Businesses Could See Biggest Impact

Insurers, banks and other financial services entities regulated by DFS had until March 2019 to comply by adopting cybersecurity practices and policies that ensure the security of information systems and non-public information. DFS took its first enforcement action under the settlement in July 2020 in a data breach case at a title insurer.

The regulation has become a model that is now used by federal and state financial regulators.

Financial Services Superintendent Adrienne A. Harris said the DFS has taken a “data-driven approach” to amending the regulations to “address new and growing cybersecurity threats” and “to ensure that the Cybersecurity risk is integrated into business planning, decision making and ongoing risk management.

According to DFS, the main changes include:

  • The creation of three levels of companiesby further tailoring regulation to a diverse set of companies with different defensive needs.
  • An increase in the size threshold small businesses that are exempted from many parts of the regulations as a result of industry feedback and in recognition of the realities of operating a small business. Includes exempt businesses with less than 20 employees or less than $5 million in New York business.
  • Enhanced governance requirementsincreasing cybersecurity accountability at the board and C-suite level.
  • Additional controls to prevent initial unauthorized access to technological systems and to prevent or mitigate the spread of an attack;.
  • Require more regular risk and vulnerability assessmentsas well as more robust incident response, business continuity and disaster recovery planning.
  • Encourage companies to invest in regular training and cybersecurity awareness programs tailored to their business model and people.

DFS Cybersecurity Proposed Financial Services Regulations

“With cyberattacks on the rise, it’s critical that our regulations keep pace with new threats and technologies specifically designed to steal data or inflict harm,” Harris said. “Cybercriminals prey on all types of businesses, large and small, in all industries, which is why all of our regulated entities must adhere to these standards – whether it’s a bank, from a virtual currency company or a health insurance company.”

Under the Cybersecurity Regulations, all banks, insurance companies and other financial services institutions and licensees regulated by DFS are required to have a cybersecurity program in place that protects consumers’ private data, a policy written or board-approved or senior management-approved policies, an information security officer to help protect data and systems, and data protection at third-party vendors.

Companies must also report online cybersecurity events through the DFS Cybersecurity Portal.

Over the past few months, DFS said it has solicited comments on the proposed changes from other regulators, industry groups and regulated entities through the recent Cybersecurity Symposium, conferences and industry meetings.

After the 60-day comment period ended, DFS said it would then review all comments and either resubmit a revised version or adopt the final rulebook.

Related:

Topics
New York Cyber ​​Legislation

Interested in Internet?

Receive automatic alerts for this topic.