NY Regulators Up Cybersecurity Requirements

New York has always been one of the most aggressive regulators of financial institutions (which includes a lot of companies that might not expect such as Carnival Cruise Lines). This is not completely surprising given the number of financial institutions in New York.

With the FTC updating its Safeguards Rule this winter, NY’s Department of Financial Services (NYDFS) decided they needed to play catch up. Some of these changes align New York with new federal law.

Here is what they are proposing according to the law firm Ballard Spahr.

Ransomware attacks need to be reported to DFS within 72 hours
Ransomware payments must be reported within 24 hours
Next, companies will have 30 days to provide a written report after a ransomware payment explaining why that payment was necessary, what alternatives were considered, all diligence to make sure that the ransom was not going to terrorists (which it sort of is, by definition) and that it is in compliance with OFAC rules.
Multi-factor authentication would be required for access to ALL privileged accounts, remote network access and all third-party applications which contain PII. This is mostly an enhancement to the current requirements which many companies have been ignoring or only implementing to a degree.
Increased expectations for board expertise in cybersecurity
Annual third party cybersecurity audits for larger firms (currently you can audit yourself and no one ever failed a self audit).
Significant restrictions on privileged accounts

While this is not final, I suspect no major changes since these are pretty much in line with new federal rules and laws.

Start getting prepared.

If you have questions or need help, please contact us