The New York Department of Financial Services yesterday updated and amended its cybersecurity regulations, instituting more controls and protections while also updating the notification requirements in the event of a ransomware attack.
What’s Changing: Among the changes highlighted by the DFS are:
- Enhanced governance requirements;
- Additional controls to prevent initial unauthorized access to information systems and to prevent or mitigate the spread of an attack;
- Requirements for more regular risk and vulnerability assessments, as well as more robust incident response, business continuity, and disaster recovery planning;
- Updated notification requirements including a new requirement to report ransomware payments; and
- Updated direction for companies to invest in at least annual training and cybersecurity awareness programs that anticipate social engineering attacks and that are otherwise relevant to their business model and personnel.
Help is On The Way: The New York DFS announced it would be holding a series of webinars to help provide more details about the amended cybersecurity regulations. More information about the webinars is available by clicking here.
What She Said: “On the heels of launching the State’s first-ever cybersecurity strategy, boosting state law enforcement’s cyber capabilities, and signing landmark legislation to protect our energy grid from cyberattacks, my administration is doubling down on our commitment to ensuring that financial institutions have the safeguards in place to protect vital customer data and maintain the integrity of our financial system” said New York Governor Kathy Hochul.