New York DFS Cybersecurity Regulation Outlines Actions with High ROI

Newsletter

As of November 1, 2024, financial services companies regulated by the New York Department of Financial Services Cybersecurity Regulation face new requirements relating to cybersecurity governance, encryption, and incident response. These standards offer a good blueprint for all entities – even those not in the financial services business – to incorporate into data security programs. A strong cybersecurity program offers a great return on investment to decrease security event success and defend against the rapidly increasing trend of security-related lawsuits.

Read on for a refresher about the law and a summary of the upcoming requirements.

New York Cybersecurity Regulation – Background

The New York Cybersecurity Regulation (the “Cybersecurity Regulation”), codified at N.Y. Comp. Codes R. & Regs. tit. 23, § 500.0, was originally enacted in 2017, and was aimed at requiring banks, lenders, insurance carriers, and other financial services institutions to assess their cybersecurity posture and safeguard consumer information against unauthorized access by cybercriminals. More specifically, the regulation requires institutions to protect “non-public information.”

The original regulation, which was amended for the first time in 2020, included baseline standards, such as a requirement for entities to maintain a comprehensive cybersecurity program, including written policies and procedures, to conduct risk assessments and independent audits, to meet minimum standards related to encryption and use of multi-factor authentication, and to designate a Chief Information Security Officer (CISO), among other things.

November 2024 Updates

The New York Department of Financial Services amended the standards again in response to continued change in the global cybersecurity landscape, with cybercriminals and their schemes continuing to grow in scope and sophistication. The Cybersecurity Regulations were amended again in 2023, with certain requirements taking effect as of November 1, 2024. The new requirements include:

  • Updated standards for cybersecurity governance, including requirements for CISOs to timely report cybersecurity issues to senior officers or governing bodies at their entity;
  • A requirement for all covered entities to implement a written policy requiring encryption of non-public information. Such encryption must meet industry standard, and entities will no longer be permitted to use alternate controls for non-public information in transit; and
  • Requirements that security incident response plans be updated and tested on a regular basis, at least annually. Covered entities are also required to train employees on incident response plans, as well as required business continuity and disaster response plans, test their data backups, and make revisions as needed to these policies as a result of these required tests.

The November 2024 amendments also include updated requirements for small businesses who are exempt from some, but not all, of the provisions of the Cybersecurity Regulations. By November 1, 2024, small businesses are required to:

  • Implement multi-factor authentication for any remote access to information systems; and
  • Provide cybersecurity training at least annually to employees. The training must cover social engineering, phishing, email compromises, and schemes enhanced by AI, including the use of deepfake technology.

The New York Department of Financial Services maintains a website with guidance and FAQs.

The November 2024 updates are more prescriptive than we typically see regarding minimum data security standards. Time will tell if other highly regulated industries follow suit. In the meantime, these cybersecurity standards are often key foundational components of a strong cybersecurity program; thus, they offer a good blueprint for all entities who are looking for bang-for-their-buck data security investments.

If you have questions about the New York Cybersecurity Regulations, other industry-specific privacy and security requirements, or industry standard for a cybersecurity program, please contact your Quarles privacy attorney or:

  • Meghan O'Connor: (414) 277-5423 / meghan.oconnor@quarles.com
  • Kaitlyn Fydenkevez: (202) 780-2642 / kaitlyn.fydenkevez@quarles.com

Follow Quarles

Subscribe Media Contact
Back to Main Content

We use cookies to provide you with the best user experience on our website and to analyze statistics related to our website. To understand more about how we use cookies, or for instructions to change your preference and browser settings, please see our Privacy Notice. Please note that if you choose to reject cookies, doing so may impair some of our website's functionality.