New York’s Department of financial services unveils updated Cyber Security regulations

On November 1, New York’s Department of Financial Services finalized several important amendments to its cyber security regulations (23 NYCRR 500). These changes have important implications not only for New York State chartered and licensed institutions, such as CUSO’s, but for any vendors doing business with those entities.

Since promulgating its “first in the Nation” cyber security regulations in 2017, the Department of financial services has aggressively used these regulations to impose baseline cyber security protocols on state licensed and chartered institutions. New York’s regulations do much more than simply mandate reporting of suspected cyber breaches. They require regulated entities to certify that they maintain programs designed to protect the confidentiality, integrity, and availability of the covered entity’s information systems. These programs must include periodic penetration testing and be approved at the highest levels of regulated businesses.

In the absence of comprehensive federal regulation, New York’s protocols have had a nationwide impact by providing a regulatory model for other jurisdictions to follow. The regulations also mandate that vendor contracts incorporate many of the Part 500 requirements even if vendors are headquartered outside of New York. Compliance with these regulations is a top priority for the Department of Financial Services as demonstrated by the penalties imposed on several companies for violations. In short, if you are a state-charted bank or credit union or otherwise licensed by DFS, preparing for these changes is a top priority. In addition, even if you are not subject to New York State law if you are responsible for protecting your company’s data security you should know about these important changes.

New York’s Department of financial services unveils updated Cyber Security regulations -