On November 1, 2023, the New York Department of Financial Services finalized amendments to their cybersecurity regulation 23 NYCRR Part 500, which was initially effective March 1, 2017. These amendments require many companies to refine certain aspects of their practices. While the changes encompass various aspects, the most noteworthy revisions demand additional adjustments to processes and procedures. Surprisingly, these alterations aren’t solely about adopting cutting-edge technologies; rather, they delve into the intricacies of refining existing systems.
For enterprises navigating these regulatory waters, understanding and adapting to these modifications is crucial, especially considering the challenges posed by heightened cybersecurity requirements. For a comprehensive view of the changes, click here to download our full report.
Here are some of the key amendments that could reshape the compliance landscape for large-scale entities:
- Cybersecurity Program: Companies are now mandated to undergo an independent audit of their cybersecurity program. The program, inclusive of policies and procedures, must be readily available to the Superintendent upon request.
- Cybersecurity Governance: The board of directors is expected to demonstrate oversight and a level of competence in understanding cybersecurity related matters. This includes ensuring the allocation of adequate funding for the cybersecurity program.
- Multi-Factor Authentication: The updated regulations now mandate the use of MFA in specific areas. These areas include remote access to internal systems, remote access to third-party systems containing nonpublic personal information (NPI), and for privileged accounts (excluding service accounts).
- Asset Management and Data Retention Requirements: The data retention section now includes asset management, demanding not only the formulation of policies and procedures but also specifying crucial asset information to be tracked. This includes risk classification, vendor end-of-life (EOL) support expiration date, recovery time objective, and the required frequency for updating and validating the asset inventory.
- Incident Response and Business Continuity Management: Incident response planning has evolved to include business continuity and disaster recovery plans. Entities are now obligated to take proactive measures to investigate and mitigate cybersecurity in order to enhance operational resilience. The regulations provide a comprehensive program for business continuity plans and disaster recovery plans, outlining the scope and specifications to be included.
- Notices to Superintendent: The 72-hour notification requirement for incidents remains, now extending to include occurrences with affiliates and third-party service providers. Continuous updates on incidents, specifically for material changes, are now obligatory. Entities must support their annual attestation of material compliance with thorough documentation. Additionally, a 24-hour notification to the superintendent is now required after making an extortion payment, with a subsequent 30-day window for detailing the justification.
Navigating the multitude of changes introduced by the expanded NYDFS regulations might seem like a daunting task for companies. However, a well-structured timeline can serve as a practical guide to implementing these adjustments seamlessly.
The expanded NYDFS regulations demand a comprehensive reassessment of cybersecurity practices. From independent audits to enhanced governance and stringent multi-factor authentication, these changes require a methodical approach. By following a structured timeline, businesses can not only navigate these amendments effectively but also bolster their cybersecurity resilience in an evolving regulatory landscape.
Leveraging the expertise of MorganFranklin Consulting professionals can further streamline this process, offering tailored solutions to ensure seamless compliance and fortified cybersecurity strategies.
Click here to download our report to view a full comparative list of the changes made to the NYDFS regulation.