The New York Department of Financial Services yesterday announced proposed amendments to its cybersecurity regulation, including increasing the size threshold for companies that are exempt from following much of the regulation, while also requiring more risk and vulnerability assessments and investing in training and cybersecurity awareness programs, among other changes.
A copy of the proposed changes can be accessed by clicking here. Comments on the proposal are being accepted through January 9, 2023.
The original cybersecurity regulation was put in place by the DFS back in 2017 and has been used as a model by regulators at both the state and federal level.
Under the proposal, companies with fewer than 20 employees, less than $5 million in gross annual revenue, or less than $15 million in yearend total assets would be exempt from many of the requirements. Under the current regulation, only companies with fewer than 10 employees and less than $10 million in assets are exempt.
The proposal also creates three tiers of companies that include specific requirements, based on the size of each company.
Covered entities will have to conduct penetration testing of their information systems from both inside and outside their boundaries by a qualified internal or external independent party at least annually, and have a monitoring program in place to ensure entities are promptly informed of new vulnerabilities. Companies will also be required to create policies for passwords. Companies will also have to implement written policies documenting all of their assets.
Covered entities will be required to conduct social engineering exercises as part of a more robust training and awareness program and develop a business continuity and disaster recovery plan.
“With cyber-attacks on the rise, it is critical that our regulation keeps pace with new threats and technology purpose-built to steal data or inflict harm,” said DFS Superintendent Adrienne A. Harris in a statement. “Cyber criminals go after all types of companies, big and small, across industries, which is why all of our regulated entities must comply with these standards – whether a bank, virtual currency company, or a health insurance company.”