Adrienne A. Harris, Superintendent of Financial Services, announced today that the New York State Department of Financial Services (DFS) has proposed an updated cybersecurity regulation. The original regulation issued by DFS in 2017 established a regulatory model that is now used by both federal and state financial regulators. To ensure that regulated entities address new and increasing cybersecurity threats with the most effective controls and best practices to protect consumers and businesses, DFS has taken a data-driven approach to amending the regulation.
With cyber-attacks on the rise, it is critical that our regulatory framework keeps up with new threats and technology designed to steal data or cause harm,” said Superintendent Harris. “Cyber criminals target all types of businesses, large and small, across industries, which is why all of our regulated entities – whether a bank, virtual currency company, or health insurance company – must comply with these standards.”
The proposed amended regulation strengthens the DFS risk-based approach by incorporating cybersecurity risk into business planning, decision-making, and ongoing risk management. Among the modifications are:
The establishment of three company tiers, which further tailors the regulation to a diverse set of businesses with varying defensive needs. Furthermore, in response to industry feedback and in recognition of the realities of running a small business, the proposed amendment raises the size threshold for smaller businesses that are exempt from many parts of the regulation:
- Increased governance requirements, resulting in increased accountability for cybersecurity at the Board and C-Suite levels;
- Additional safeguards to prevent unauthorized access to technology systems and to prevent or limit the spread of an attack;
- More frequent risk and vulnerability assessments, as well as stronger incident response, business continuity, and disaster recovery planning; and
- Directing businesses to invest in regular cybersecurity training and awareness programs that are relevant to their business model and personnel.
DFS has solicited feedback on proposed amendments from other regulators, industry groups, and regulated entities over the past few months through the recent Cybersecurity Symposium, industry conferences, and meetings.
The proposed amended regulation is open for public comment for 60 days after it is published in the State Register. During the comment period, DFS looks forward to and appreciates receiving feedback on the proposed amended regulation. Following the close of the comment period, DFS will review all received comments and either propose a revised version or adopt the final regulation.