Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

New York proposes new cybersecurity reporting requirements for financial institutions

Privacy, Cyber Risk & Data Security State Issues Bank Regulatory NYDFS 23 NYCRR Part 500

Privacy, Cyber Risk & Data Security

Recently, NYDFS released proposed second amendments to New York’s Cybersecurity Regulation (23 NYCRR Part 500), which would, if adopted, require a financial institution’s senior officer or board of directors to approve the entity’s cybersecurity policy. Entities would also be required to disclose whether their directors have expertise in overseeing security risks or whether they rely on third-party cyber consultants. Among other things, the proposed amendments would require cybersecurity executives to provide directors timely alerts of significant cyber issues or events and provide annual reports to the board on cyber risks and defenses as well as on plans for remediating identified inadequacies. Additional requirements include: (i) multi-factor authentication for all privileged accounts (except for service accounts), as well as for “remote access to the network and enterprise and third-party applications from which nonpublic information is accessible”; (ii) limitations on asset and data retention management; (iii) training and monitoring of email to prevent unauthorized access; and (iv) incident response, business continuity, and disaster recovery plans.

The proposed amendments also contain provisions related to ransomware, including measures which would require entities to notify NYDFS within 72 hours of any unauthorized access to privileged accounts or deployment of ransomware within a “material” part of the entity’s information system. Entities would also be directed to alert the Department within 24 hours of making a ransom payment to a hacker—similar to a ransomware payment disclosure mandate included within the “Cyber Incident Reporting for Critical Infrastructure Act of 2022” covering critical infrastructure (covered by InfoBytes here). Within 30 days, entities would also be required to explain the reasons that necessitated the ransomware payment, what alternatives to payment were considered, all diligence performed to find payment alternatives, and all diligence performed to ensure compliance with applicable OFAC rules and regulations including federal sanctions implications.

Comments on the proposed amendments are due August 18.

See continuing InfoBytes coverage on 23 NYCRR Part 500 here.