NYS Department of Financial Services Revises Proposed Cybersecurity Regulations
The New York State Department of Financial Services (DFS) has revised its proposed cybersecurity regulations. The proposed regulations require "covered entities" to establish cybersecurity programs and policies. "Covered entities" are those licensed, registered, chartered, certified, permitted, or accredited under the Banking Law, the Insurance Law, or the Financial Services Law. The proposed regulations do not apply to organizations licensed or certified solely under other state laws, such as the Public Health Law or Social Services Law. A summary of the initial version of the proposed regulations is available here, and a summary of the revisions is available here.
The proposed regulations require covered entities to implement cybersecurity programs to protect their information systems and nonpublic information from unauthorized access, use, or other malicious acts. The programs must include various safeguards to prevent, detect, respond to, and recover from cybersecurity incidents, including risk assessment procedures, the appointment of an information security officer, cybersecurity awareness training, regular penetration testing and vulnerability assessments, audit logging, minimum necessary access privileges, multi-factor authentication standards, data retention policies, encryption of data at rest and in transit, incident response planning, and reporting of incidents and breaches.
An additional 30-day comment period is in place in connection with the revisions to the proposed regulations, with comments due on Jan. 27th.
Contact: Karen Lipson, klipson@leadingageny.org, 518-867-8383 ext. 124