New York Department of Financial Services Amends Cybersecurity Regulation
Why This Alert Is Important
While the New York DFS Cybersecurity Regulation has been in place since 2017, recent changes have increased the compliance burden on financial services, insurance, and healthcare organizations, requiring them to maintain an asset inventory as well as dispose of data they no longer have an obligation to retain.
Overview of the NY DFS Cybersecurity Regulation Amendment
Historically, the NYDFS Cybersecurity Regulation required insurance companies, banks, and other regulated financial services institutions operating in New York, both those headquartered and licensed there, to protect their customers’ sensitive data by assessing their cybersecurity risk profiles and implementing comprehensive plans to mitigate those risks.
The minimum standards expected to help prevent data breaches included:
- Data protection, encryption, access controls, and penetration testing for IT systems
- Appointment of a CISO (who could be a 3rd party service provider) to oversee a funded and implemented cybersecurity program
- Incident response plans including timely notice to NYDFS
- Identification and documentation of deficiencies, remediation plans, and certifications of compliance on an annual basis
Recognizing the increase in cyberattacks and the consequences of data breaches to the consumers affected by them, NY DFS updated these regulations (23 NYCRR Part 500) to, according to Governor Cathy Hochul, “[double] down on [the state’s] commitment to ensuring that financial institutions have the safeguards in place to protect vital customer data and maintain the integrity of our financial system.” Large companies must conduct independent audits of their cybersecurity program’s compliance with the requirements of the rule by April 29, 2024.
What the NY DFS Cybersecurity Regulation Covers
Prior to the amendments, Part 500.13 required organizations to dispose of non-public information (NPI) securely when it was no longer necessary for business operations. However, the new amendments require organizations subject to the regulation (financial services, insurance, and healthcare entities based or operating in New York state) to document and maintain a complete and accurate asset inventory of their systems holding NPI.
The inventory must include key information on each data asset, including:
- Owner
- Location
- Classification
- Support expiration date
- Recovery time objectives
Once organizations have a thorough understanding of the NPI they hold, they must then determine their legal and regulatory obligations regarding its retention or deletion, and then operationalize them, in order to remain in compliance with the regulation.
The NYDFS is intensifying its enforcement of its Cybersecurity Regulations. Earlier this year, Genesis Global Trading was fined $8 million for its alleged failure to comply with, among other provisions, the Cybersecurity Regulation's asset inventory and data disposal requirements.
Companies seeking to comply with this regulation should begin by developing a comprehensive asset inventory, as this will lay the groundwork for meeting the other requirements of the regulation. While manually creating an asset inventory can be challenging, leveraging automated data discovery solutions can significantly simplify this process. These solutions aid in creating a detailed and accurate asset management inventory by automating the identification, classification, and cataloging of data.
Fahad Diwan, JD, FIP, CIPP/M, CIPP/C, Director of Product, Privacy, Exterro
Data Privacy Tip
While data discovery technology helps organizations comply with regulators like the NY DFS, it also helps minimize data risk across threat vectors including e-discovery, privacy compliance, and cybersecurity response. In fact, we’ve pulled together a dozen use cases for data discovery in our new infographic!
