New York regulators assigned heightened cybersecurity requirements to banks, insurers, and financial services providers based in the state with the release of finalized rule amendments Wednesday.
Covered entities will have to use multifactor authentication, expand cybersecurity governance duties, and conduct consistent threat testing under the regulation updated by the New York Department of Financial Services.
The New York agency is a national leader in cybersecurity regulation, with other state and federal regulators adopting its approach—the Federal Trade Commission notably said its newest breach reporting standards were “based primarily” on rules first established in New York.
The changes to the New York rule are most significant for large companies, with the DFS assigning several new provisions to companies making at least $20 million annually.
“Cyberattacks are on the rise, and the updates require the financial services industry to institute stronger standards and controls to secure sensitive data,” said Adrienne Harris, the New York state superintendent of financial services, in a statement. “Expanded use of proven protections such as multifactor authentication will be required while maintaining the risk-based flexibility of the landmark cybersecurity regulations.”
Large companies must independently audit their cybersecurity once a year, implement a breach detection system, and centralize how they log security incidents under the updated rule.
It also for the first time defined the role of a chief information security officer as the individual responsible for managing and enforcing the company’s cybersecurity policies, prescribing specific duties that include signing off on security controls and keeping senior executives abreast of material incidents.
New reporting obligations include providing notice to the regulator within 24 hours of a ransom being paid, as well as a written explanation for the payment within 30 days.
Companies are also expected to create business continuity and disaster recovery plans to mitigate any business disruptions created by a cybersecurity incident.
Compliance with the updated rules will be expected in 180 days, but the notice requirement will take effect 30 days from now. Businesses with fewer than 20 employees and that make under $5 million annually are exempt.
The New York regulator also added a section to the rule describing how its process for determining penalties for violations will account for cooperation in investigations, history of prior offenses, and other factors.
The agency in May fined lending group OneMain Financial Group LLC $4.25 million for violating the regulation by using default passwords and having lax oversight of third-party vendor security practices.
To contact the reporter on this story:
To contact the editor responsible for this story:
Learn more about Bloomberg Law or Log In to keep reading:
See Breaking News in Context
Bloomberg Law provides trusted coverage of current events enhanced with legal analysis.
Already a subscriber?
Log in to keep reading or access research tools and resources.