The proposed amended regulation will have a 60-day comment period, ending Jan. 23, 2023.
11/10/2022 8:00 A.M.
2 minute read
Superintendent of Financial Services Adrienne A. Harris announced in a press release this week that the New York State Department of Financial Services (DFS) proposed an updated cybersecurity regulation.
DFS’s original regulation, introduced in 2017, established a regulatory model that is now used by both federal and state financial regulators. The department has taken a data-driven approach to amending regulation to ensure that regulated entities address new and increasing cybersecurity threats with the most effective controls and best practices to protect consumers and businesses, according to the release.
“With cyber-attacks on the rise, it is critical that regulation keeps pace with new threats and technology purpose-built to steal data or inflict harm,” Harris said. “Cyber criminals go after all types of companies, big and small, across industries, which is why all of our regulated entities must comply with these standards—whether a bank, virtual currency company, or a health insurance company.”
The proposed amended regulation aims to strengthen the DFS risk-based approach to ensure cybersecurity risk is integrated into business planning, decision-making and ongoing risk management.
Further changes in the proposed regulation include:
- The creation of three tiers of companies, further tailoring the regulation to a diverse set of businesses with different defensive needs.
- Enhanced governance requirements, which increase accountability for cybersecurity at the board and C-suite levels.
- Additional controls to prevent initial unauthorized access to technology systems and to prevent or mitigate the spread of an attack.
- Requiring more regular risk and vulnerability assessments, as well as more robust incident response, business continuity and disaster recovery planning.
- Directing companies to invest in regular training and cybersecurity awareness programs that are relevant to their business model and personnel.
Over the past few months, DFS has solicited feedback on proposed amendments from other regulators, industry groups, and regulated entities through the recent Cybersecurity Symposium, industry conferences and meetings, according to the release.
The proposed amended regulation will have a 60-day comment period, ending Jan. 23, 2023.
A copy of the proposed amended regulation is available on the DFS website.
If you have executive leadership updates or other member news to share with ACA, contact our communications department at [email protected]. View our publications page for more information and our news submission guidelines here.