The regulations include amendments to risk assessments, incident response and training, which the New York DFS will cover in webinars in November and December. ACA’s team will also cover this on the State Guide Cohort webinar Nov. 14.
11/03/2023 12:05 P.M.
3 minute read
New York State’s Department of Financial Services (DFS) has released amended cybersecurity regulations and compliance deadlines for businesses as well as a series of training webinars.
The amended regulations (PDF) aim to ensure cybersecurity risk is integrated into business planning, decision-making and ongoing risk management.
They include, according to a news release from the DFS:
- Enhanced governance requirements.
- Additional controls to prevent initial unauthorized access to information systems and to prevent or mitigate the spread of an attack.
- Requirements for more regular risk and vulnerability assessments, as well as more robust incident response, business continuity, and disaster recovery planning.
- Updated notification requirements, including a new requirement to report ransomware payments.
- Updated direction for companies to invest in at least annual training and cybersecurity awareness programs that anticipate social engineering attacks and that are otherwise relevant to their business model and personnel.
DFS’s original regulation, introduced in 2017, established a regulatory model that is now used by both federal and state financial regulators. The department has taken a data-driven approach to amending regulation to ensure that regulated entities address new and increasing cybersecurity threats with the most effective controls and best practices to protect consumers and businesses, ACA International previously reported.
The DFS has provided cybersecurity implementation timelines, which outline key compliances dates for each of the categories of businesses affected by the amendment.
This timeline includes key dates for DFS-licensed individual producers, mortgage loan originators, and other businesses that qualify for exemptions under Sections 500.19 (a), (c), and (d) of the amended cybersecurity regulation.
Class A companies are defined in Section 500.1(d) of the cybersecurity regulation.
This timeline includes key dates for DFS-licensed entities that are not Class A companies and that do not qualify for exemptions under the amended cybersecurity regulation.
Compliance Deadlines
The amendments take effect in phases:
- Except as otherwise specified, covered entities have 180 days from the date of adoption to become compliant. April 29, 2024, will be the primary compliance date for most entities.
- Changes to reporting requirements (outlined in Section 500.4) take effect one month after publication of the amended regulation, or Dec. 1, 2023.
- For certain other requirements, the amendments provide for “up to one year; up to 18 months, or up to two years” to come into compliance depending on the provision in question.
Training Resources
The DFS will hold three webinars to provide an overview of the amended regulation:
- Wednesday, Nov. 15, 2-3:30 p.m. EST. Register here: https://on.ny.gov/500training1115
- Thursday, Nov. 30, 2-3:30 p.m. EST. Register here: https://on.ny.gov/500training1130
- Thursday, Dec. 7, 2-3:30 p.m. EST. Register here: https://on.ny.gov/500training1207
Each training session has limited availability, so interested entities are encouraged to register as soon as possible to learn more and prepare for compliance. Recordings of the trainings will be made available on the DFS website for cybersecurity regulations.
ACA’s compliance team will also break down the amended regulations in the Nov. 14 State Guide Cohort webinar for members at 1 p.m. CST. The amendments will be published in the State Guide starting in December.
Already a State Guide subscriber? To view your online State Guide and to find registration information for the monthly webinars, go to: www.acainternational.org/state-guides.
Ready to subscribe? Visit the State Guide page in our store to join the Cohort today.
Protect Yourself
It’s critical to make sure your cyber liability insurance is current, and coverage is easy and affordable for ACA members. Collectors Insurance Agency (CIA), a subsidiary of ACA, provides members exclusive access to risk management products and services tailored to each members’ specific needs. Cyber insurance is an ever-changing market and with the help of CIA’s partners Aon and Axis, they are helping members obtain the coverage they need to meet today’s and tomorrow’s challenges.
Remember, subscribe to ACA Daily and Member Alerts under your My ACA profile when logged in to acainternational.org to receive updates on the ACA Huddle.