New York will require financial institutions to conduct risk assessments more often and improve governance under a broad update to the state’s cybersecurity regulations.
The final amended rules are intended to improve risk mitigation and enhance cyber governance within the financial sector, said Gov. Kathy Hochul on Wednesday. The update amends the state’s 2017 cybersecurity regulations, which are enforced by the New York State Department of Financial Services (NYDFS).
The NYDFS will explain the amendments to businesses through a series of seminars, Hochul said.
Under the update, which took effect Wednesday, covered entities are required to have additional controls in place to discourage unauthorized access to information and mitigate the spread of a cyberattack. They must also have stronger incident response and plans for continuity and recovery.
In certain cases, firms will be required to notify the public about any ransomware payments.
Firms must perform risk and vulnerability assessments more frequently and hold cybersecurity training at least once a year that is relevant to their industry, business model, organization size, data handling, and personnel. The training must include discussion of procedures in case of a social engineering attack.
Initial updates to existing reporting requirements will take effect Dec. 1. Changes to required policies and procedures will begin to take effect on a rolling basis in April.
Hochul has taken an aggressive stance against cybercrime and expanded various enforcement offices, including the state’s Computer Crimes Unit and Cyber Analysis Unit.
In May, the NYDFS fined mortgage servicer OneMain Financial $4.25 million concerning allegations the firm failed to implement controls necessary to protect customer information.
New York intends to bring cyber requirements to other industries, as outlined in a comprehensive state cybersecurity strategy released in August.
“New York has always led the way in protecting businesses and consumers from online threats, and with these amendments to our nation-leading cybersecurity regulations, we are continuing to set the national standard,” said Hochul in a press release. “[M]y administration is doubling down on our commitment to ensuring that financial institutions have the safeguards in place to protect vital customer data and maintain the integrity of our financial system.”
Editor’s note: This story was updated Nov. 6 to add a timeline for reporting and policy change requirements.