Amendments to New York’s First-In-The-Nation Cybersecurity Regulations Will Mandate New Controls, Require More Regular Risk Assessments, Update Notification Requirements to Enhance Protections for New Yorkers
Builds on Governor’s Commitment to Bolstering Cybersecurity Statewide Following Launch of New York’s First-Ever Cybersecurity Strategy
Governor Kathy Hochul today announced that the New York State Department of Financial Services has amended its nation-leading cybersecurity regulations to enhance cyber governance, mitigate risks, and protect New York businesses and consumers from cyber threats. The amended regulations builds on the sweeping impact of the original cybersecurity regulations, which established the innovative framework that is now modeled by both federal and state financial regulators to protect against cyber threats, and the Governor’s comprehensive, statewide effort to improve safeguards for businesses and consumers. A copy of the final adopted regulations is available on the DFS website.
“New York has always led the way in protecting businesses and consumers from online threats, and with these amendments to our nation-leading cybersecurity regulations, we are continuing to set the national standard,” Governor Hochul said. “On the heels of launching the State’s first-ever cybersecurity strategy, boosting state law enforcement's cyber capabilities, and signing landmark legislation to protect our energy grid from cyberattacks, my administration is doubling down on our commitment to ensuring that financial institutions have the safeguards in place to protect vital customer data and maintain the integrity of our financial system.”
New York State Superintendent of Financial Services Adrienne A. Harris said, “This regulation continues the Department’s transformative, data-driven approach to cybersecurity oversight. Cyberattacks are on the rise, and the updates require the financial services industry to institute stronger standards and controls to secure sensitive data. Expanded use of proven protections such as multifactor authentication will be required while maintaining the risk-based flexibility of the landmark cybersecurity regulations.”
"These updated cybersecurity regulations strengthen New York's leadership in smart, effective cyber policy,” said New York State Chief Cyber Officer Colin Ahern. “The new rules build on our risk-based approach to integrate cybersecurity with enhanced governance, more robust access controls and assessments, updated reporting rules including for ransomware, and requirements for personnel training, these regulations raise the bar for cyber resilience. Even as cyber threats grow more complex, New York continues to deliver innovative solutions that secure critical systems, safeguard data, and protect consumers and businesses alike. I applaud the Governor and Department of Financial Services for advancing these impactful new cyber standards."
The new rules strengthen the Department of Financial Services’ (DFS) risk-based approach to ensure that cybersecurity is integrated into regulated entities’ business planning, decision-making, and ongoing risk management. Key changes in the regulations include:
- Enhanced governance requirements;
- Additional controls to prevent initial unauthorized access to information systems and to prevent or mitigate the spread of an attack;
- Requirements for more regular risk and vulnerability assessments, as well as more robust incident response, business continuity, and disaster recovery planning;
- Updated notification requirements including a new requirement to report ransomware payments; and
- Updated direction for companies to invest in at least annual training and cybersecurity awareness programs that anticipate social engineering attacks and that are otherwise relevant to their business model and personnel.
As part of its data-driven approach to cybersecurity, DFS conducted significant outreach through cyber symposiums and conferences and dialogue with state, federal and international regulators, industry, and other experts in the field of cybersecurity. The adopted amendment holds DFS-regulated businesses and licensed entities accountable for implementing cybersecurity protections, and ensuring they maintain cyber defenses appropriate to their size, nature of business, and the type of data maintained, among other relevant considerations while continuing to foster growth of New York’s financial services industry.
Under Governor Hochul's leadership, New York continues to create the national model for smart and effective cybersecurity policy. Earlier this year, the Governor launched the first-ever New York State Cybersecurity Strategy, a comprehensive roadmap to build cyber resilience in every corner of the state. Governor Hochul also launched a nation-leading cybersecurity shared services program to protect county and local government entities, covering more than 65,000 government-owned computers across the state, and expanded the state’s law enforcement cyber capabilities by growing the Computer Crimes Unit, Cyber Analysis Unit, and Internet Crimes Against Children Center at the New York State Police. Last year, Governor Hochul also signed landmark legislation to protect New York's energy grid from cyberattacks. As cyber threats rapidly evolve, New York remains at the cutting edge of cybersecurity policy and continues to strengthen defenses across the public and private sectors.
DFS will host a series of webinars to provide an overview of the amended cybersecurity regulations. Registration details for these training events and compliance timeline are available on the DFS website.