New York Adds Stiffer Requirements to Cybersecurity Rules

New York’s financial watchdog published significant updates to its cybersecurity regulations Wednesday, adding strict provisions around board oversight and ransom payments that go further than recent federal rules.

Source: WSJ | Published on November 3, 2023

Howden launches Cyberwrite

New York’s financial watchdog published significant updates to its cybersecurity regulations Wednesday, adding strict provisions around board oversight and ransom payments that go further than recent federal rules.

The New York State Department of Financial Services, which oversees banks, insurance firms, mortgage brokers and other financial institutions, expanded its initial cybersecurity rules, published in 2017, because rising cyberattacks require stronger protections, said Adrienne Harris, superintendent of financial services, in a statement.

Chief information security officers are placed front and center in the new regulations as having responsibility for ensuring that companies comply with the rules, and that internal policies are enforced.

In some areas, the updated rules are similar to those recently approved by the U.S. Securities and Exchange Commission, particularly around how cybersecurity programs are supervised. However, New York’s rules go into greater detail than the SEC’s in some areas.

Boards of directors, or other senior committees, are charged with overseeing cybersecurity risk management, and must retain an appropriate level of expertise to understand cyber issues, the rules say. Directors must sign off on cybersecurity programs, and ensure that any security program has “sufficient resources” to function.

In a new addition, companies now face significant requirements related to ransom payments. Regulated firms must now report any payment made to hackers within 24 hours of that payment.

DFS’s new requirements come as authorities generally have taken a stronger approach toward ransom payments than in the past. At a summit this week hosted by the U.S. government at the Justice Department, nations belonging to the Counter Ransomware Initiative were finalizing a pledge to not pay ransoms to criminals when government systems come under attack.

“As long as there’s money flowing to ransomware criminals, the problem will continue to grow,” said Anne Neuberger, deputy national security adviser for cyber and emerging technology, on a call with reporters Tuesday.

While New York’s rules stop short of banning ransom payments, they require companies that pay a ransom to submit a report to the agency describing the decision-making process that resulted in payment and other avenues considered.

Other additions to New York’s rules include stronger requirements for cybersecurity technologies. This includes multifactor authentication, which the rules say companies should have in place at a minimum. The rules stipulate that cybersecurity must be a significant part of business continuity plans, and that safety measures such as data backups should be regularly tested.

One unchanged rule: The state will still require companies to report cybersecurity incidents within 72 hours. But the rule now specifies that the clock starts when the company determines it has experienced a cybersecurity incident, and it must provide the regulator with any information it requests. By contrast, the SEC’s rules require reporting four days after a company determines that a cyber incident will be material to its business.

DFS received more than 1,200 responses to its request for comment on the proposed rule changes. Some suggested the agency to align its reporting regime and broader rules with others being developed within the federal government, such as the Cyber Incident Reporting for Critical Infrastructure Act.

The Bank Policy Institute and the American Bankers Association, lobby groups for the financial industry, sent letters to the Office of the National Cyber Director on Tuesday urging harmonization between regulators on reporting regimes.

In a public response, DFS said that it believed its own standard was sufficient and rejected calls to align with federal requirements.

“Since our regulation has been the model for multiple federal and state cybersecurity regulations, for example, the National Association of Insurance Commissioners cybersecurity model law which has been adopted to date by 22 states, our starting point is already in good alignment with other relevant frameworks,” a spokesperson for DFS said.