Cybersecurity Regulations Tighten--How the 2024 NYDFS Amendments Affect Your Business-5 Steps For CEOs and CISOs to Take.

What is NYDFS?

The New York Department of Financial Services (NYDFS)is a regulatory body that oversees financial institutions operating in New York. Established in 2011, it has a broad mandate to regulate the banking, insurance, and financial services industries to protect consumers and ensure the stability of financial markets. One of its key initiatives is the Cybersecurity Regulation (23 NYCRR 500), which mandates stringent cybersecurity controls for companies under its jurisdiction.

?The regulation has been instrumental in setting high cybersecurity standards for financial institutions, including banks, insurance companies, and other financial services firms.

?Why the Change?

The increasing frequency and sophistication of cyberattacks, mainly on financial institutions, have prompted NYDFS to update its regulations to ensure businesses can better protect their data and respond more effectively to cyber incidents. The amendments address emerging threats like ransomware, supply chain vulnerabilities, and social engineering attacks powered by AI technologies like deepfakes. The goal is to protect nonpublic information (NPI) and ensure companies have robust governance and response strategies.

?Additionally, these changes reflect a broader trend toward accountability, pushing senior management and boards of directors to take more active roles in overseeing their companies' cybersecurity programs.

?What is Changing?

By November 1, 2024, large and small businesses covered by the NYDFS Cybersecurity Regulation must comply with new and updated requirements. These changes are divided into Class A, Standard businesses, and Small companies.

?For Class A and Standard Businesses

Cybersecurity Governance (Section 500.4)

o?? CISOs (Chief Information Security Officers) must include plans to remediate material cybersecurity weaknesses in their reports to senior governing bodies.

o?? CISOs must report material cybersecurity issues to senior leadership promptly.

o?? Senior governing bodies are now required to oversee cybersecurity risk management directly.

?

Encryption of Nonpublic Information (NPI) (Section 500.15)

o?? Companies must implement a written encryption policy that meets industry standards.

o?? Compensating controls for NPI at rest can still be used, but the CISO must review and approve them annually.

o?? No more compensating controls are allowed for encrypting NPI in transit over external networks. Incident

?

Response and Business Continuity (Section 500.4)

o?? Incident Response (IR) plans must be updated and tested annually.

o?? Business Continuity and Disaster Recovery (BCDR) plans are required to address cybersecurity disruptions.

o?? Companies must train relevant employees on these plans, test them with critical staff, and ensure backups are protected and restorable.

?

For Small Businesses

Multi-Factor Authentication (MFA) (Section 500.12(a))

o?? MFA must be implemented for remote access to internal systems, third-party applications that store NPI, and privileged accounts.

Cybersecurity Training (Section 500.14(a)(3))

o?? All personnel must receive cybersecurity awareness training at least once a year, focusing on social engineering, phishing, business email compromise, and AI-enhanced threats like deepfakes.

?

How Will This Impact Companies and CISOs?

For CEOs and CISOs, these updates mean increased accountability and a higher bar for cybersecurity risk management. Here's how the changes will impact organizations:

Greater CISO Responsibility CISOs will need to be more hands-on in managing cybersecurity and reporting directly to the board or senior management about critical risks and plans to address them. This level of transparency will demand more comprehensive and actionable reporting.

?Stricter Encryption Policies

Companies can no longer rely on alternative compensating controls to encrypt sensitive information in transit, which could require significant technical upgrades to meet industry encryption standards.

?Enhanced Incident Response and Continuity Planning

Companies must be fully equipped to respond to cyber incidents and business disruptions. This involves testing incident response plans annually and more frequent training, which will likely increase operational costs.

?Increased Training and Awareness

The expanded training requirements mean that cybersecurity education will need to extend beyond IT teams to all personnel. CEOs should expect greater internal coordination to ensure compliance.

?Cost and Resource Allocation

For smaller organizations, implementing MFA and meeting new training mandates could require investment in new technology solutions and resources, which might be a significant financial and operational challenge.

?

?5 Key Action Steps for CEOs and CISOs

To stay ahead of the November 2024 deadline, here are five key things you should do

?Assess Your Exemption Status: Use the NYDFS "Am I Exempt?" flowchart to determine whether your organization qualifies for a full or partial exemption.?Knowing your status will help you understand which specific requirements apply to you.

Enhance Board and Executive Reporting: Ensure that your CISO has a straightforward process for reporting material cybersecurity risks and that senior leadership is prepared to actively oversee risk management efforts.

Review Encryption Policies: If your company currently uses compensating controls for encryption, evaluate whether they meet the new standards. Implement industry-standard encryption where necessary, especially for NPI in transit.

Update and Test Incident Response Plans: Ensure your IR and BCDR plans are up-to-date and thoroughly tested and include training for all relevant personnel.

Expand Cybersecurity Training: Ensure cybersecurity training is provided company-wide, focusing on social engineering and AI-related threats. Tailor your training to ensure all employees recognize and respond to phishing and other cyber risks.

?The 2024 amendments to the NYDFS Cybersecurity Regulation represent a significant shift in how companies, especially in the financial sector, are expected to manage cybersecurity risks.

CEOs and CISOs must take these changes seriously, as non-compliance could lead to significant economic and reputational consequences. Start preparing to meet these new standards and ensure your organization is secure and resilient against the growing threat landscape.