News & Insights

The New York State Department of Financial Services Adopts Amendments to Strengthen Cybersecurity Regulations

What happened?

On Nov.1, 2023, the New York State Department of Financial Services (NYDFS) finalized amendments to its 2018 regulations on cybersecurity to enhance cybersecurity governance, mitigate risks, and protect New York businesses and consumers from cyber threats. The amendments build upon the state’s existing cybersecurity regulations, which established an initial framework to protect against cyber threats, in an effort to improve safeguards for businesses and consumers.

“New York has always led the way in protecting businesses and consumers from online threats, and with these amendments to our nation-leading cybersecurity regulations, we are continuing to set the national standard,” Governor Hochul said. “On the heels of launching the State’s first-ever cybersecurity strategy, boosting state law enforcement’s cyber capabilities, and signing landmark legislation to protect our energy grid from cyberattacks, my administration is doubling down on our commitment to ensuring that financial institutions have the safeguards in place to protect vital customer data and maintain the integrity of our financial system.”

Key changes to regulations include:

  • Enhanced governance requirements;
  • Additional controls to prevent initial unauthorized access to information systems and to prevent or mitigate the spread of an attack;
  • Requirements for more regular risk and vulnerability assessments, as well as more robust incident response, business continuity, and disaster recovery planning;
  • Updated notification requirements including a new requirement to report ransomware payments; and
  • Updated direction for companies to invest in at least annual training and cybersecurity awareness programs that anticipate social engineering attacks and that are otherwise relevant to their business model and personnel.

To read the full press release, click here. To view a final copy of the adopted regulations, click here.

What does this mean for me?

This announcement represents a step toward tighter cybersecurity controls, which could be replicated in other states. Advisers should pay attention to local announcements to make sure current cybersecurity measures are in compliance. If you have any questions, please let us know.