NYDFS Proposed Cybersecurity Changes
Over the past decade, cyber attacks have become increasingly common and sophisticated. As a result, companies in the financial sector risk losing sensitive information and facing hefty penalties.
To address these concerns, the New York Department of Financial Services (NYDFS) implemented cybersecurity regulations in March 2017 and now proposes updates to keep up with the ever-changing cyber threat landscape.
But what exactly are these changes, and how will they affect companies? In this article, we’ll examine the NYDFS’s proposed changes and what they mean for businesses.
WHAT ARE THE PROPOSED CYBERSECURITY CHANGES?
In November 2022, a second round of amendments to 23 NYCRR Part 500 (commonly referred to as ‘NYDFS Part 500’) was released. It’s a set of emerging and more stringent cybersecurity requirements for financial organizations with operations in New York State.
The proposed changes would require financial institutions to establish specific data security standards and maintain comprehensive cybersecurity policies and procedures.
The proposed amendments cover the following categories:
- Enhanced mandatory controls associated with common attack vectors
- Improved requirements for privileged accounts
- Additional notification obligations
- Expansion of cyber governance practices
- Added cybersecurity requirements for larger companies
By implementing these changes, NYDFS hopes to create effective oversight over the financial industry by guiding best practices related to cybersecurity. Now let’s take a closer look at each proposed change.
1. ENHANCED MANDATORY CONTROLS ASSOCIATED WITH COMMON ATTACK VECTORS
The proposed amendment would require financial institutions to take proactive measures, such as identifying potential attack vectors and developing strategies for mitigating cyber risks.
The first requirement covers a broad range of things, including technology controls, process changes, policy documents, and monitoring. The NYDFS does not intend to establish new requirements but rather to ensure that companies already doing business in certain sectors adhere to specific cybersecurity standards. The goal is to establish a baseline security posture for companies.
To make this process easier, businesses work with third-party consulting companies to identify risk areas and prioritize their response solution strategy. At Marcum, we’ve found that companies can quickly implement these changes in a cost-effective way when they work with our team.
2. IMPROVED REQUIREMENTS FOR PRIVILEGED ACCOUNTS
The proposed amendment would also impose enhanced requirements for privileged accounts. This means that financial institutions must ensure that access to these accounts is limited and adequately monitored. Companies should implement two-factor authentication and regular password changes to help protect against unauthorized access.
Organizations should also document all privileged account activities and keep detailed logs of administrative changes. In addition, companies should have regular independent audits of privileged accounts to help detect any suspicious activity or misuse of the account.
3. ADDITIONAL NOTIFICATION OBLIGATIONS
Another focus of the proposed amendment is enhanced notification obligations. To report a data breach, companies must follow specific procedures according to the laws of their state and notify affected individuals. And the form of the notice matters–getting it wrong can result in fines.
How a company handles a data breach notice can be more costly than the breach itself. This is why companies often bring in external experts to help navigate the process and avoid penalties and lawsuits.
Marcum helps companies assess their systems to ensure compliance with current and upcoming requirements. We can help plan for and manage potential data breaches by establishing security best practices.
4. EXPANSION OF CYBER GOVERNANCE PRACTICES
The proposed amendment includes the expansion of cyber governance practices to ensure that financial institutions are protecting the privacy and security of their customers.
Cyber governance practices refer to prescriptive cybersecurity policies put in place to determine and manage risks related to an organization’s network, applications and valuable data. This includes high-level statements about security protection and guidelines for what should and should not be in their environment.
In practice, governance is about creating and enforcing policies for security within an organization. If there is a breach, regulators will compare the policy documents to current business operations. If there’s a gap, it means the organization is not compliant with its own rules. This can result in being deemed grossly negligent.
At Marcum, we utilize our comprehensive expertise to create a policy strategy for an organization’s specific cybersecurity risk environment. This ensures that a company is not merely compliant but sufficiently cyber-ready.
5. ADDED CYBERSECURITY REQUIREMENTS FOR LARGER COMPANIES
In 2019, the largest financial sector data breach occurred at First American Financial Corporation, affecting 885 million data records. As one of the many financial sector data breaches, it’s unsurprising that the proposed amendment includes additional cybersecurity requirements for larger companies.
Companies classified as “large” by the NYDFS should establish and maintain a comprehensive cybersecurity program that includes policies and procedures, personnel training, system monitoring, incident response plans, encryption technologies, and third-party vendor management.
At Marcum Technology, we help companies create robust cybersecurity strategies. We develop a meticulous strategy as we assess and address each risk factor, starting with the most prominent risk items. We also estimate the time, effort, and cost needed to bring operations to the new security standard so companies are not in the dark about these efforts.
FINAL TAKEAWAYS
The immediate goal is for companies that do business in NY state to demonstrate that they are compliant with these regulations as they become law in May 2023. Compliance will soon be enforced, and businesses must be ready.
To help ensure organizations are compliant, here are Marcum’s recommendations:
- Get a risk assessment from a qualified third party to determine compliance with part 500.
- Prioritize investments for remediation of high-impact items.
- Recognize these changes as a business opportunity to differentiate from competitors by being fully compliant and trustworthy.
Marcum Technology can conduct a readiness assessment against NYDFS Part 500 to provide insights into potential gaps and help prioritize which areas require remediation first. That’s particularly important given that remediation can be a lengthy and expensive process.
Our team already performs these assessments and has great success in helping clients become fully and quickly compliant. Contact us today for your cybersecurity assessment.
