Since 2017, the New York Department of Financial Services (NYDFS) cybersecurity regulation has established minimum cybersecurity requirements for financial services companies that are licensed or registered by NYDFS. The regulation is set to be updated[1] in 2023 to address the ever-increasing sophistication and scope of cyber threats. NYDFS issued a draft regulation last November, and the public comment period ended on Jan. 9. NYDFS is currently reviewing those comments, and a final rule is expected later this year.
Just like California’s emissions regulations’ far-reaching impact on the national auto industry, the cybersecurity regulation has altered the information security practices of financial services companies both domestically and, due to the global reach of the U.S. financial system, internationally. There’s little doubt the updated regulation will have the same effect.
Effective information governance plays a crucial role in complying with the NYDFS cybersecurity rules by managing the storage, maintenance, and retention of sensitive information. This article explores the most relevant updates to the NYDFS cybersecurity rules for records management professionals.
Company Risk Tiers
The proposed updated NYDFS cybersecurity regulation establishes three tiers of companies (previously, there were two) with targeted requirements tailored to the unique security needs of financial institutions of varying sizes. A new “Class A” designation applies to companies with at least $20 million in gross annual revenue in New York, $1 billion in gross annual revenue globally, and more than 2,000 employees. The proposal raises the threshold for the lowest tier to exempt companies with fewer than 20 personnel (previously, 10) and less than $15 million in assets (previously, $10 million).
Strengthened Controls
Although the current regulation requires robust cybersecurity policies and procedures, the proposed revision will require an even more comprehensive approach. The proposed revision would specifically cover data retention and device end-of-life management, remote access, security monitoring, security awareness and training, incident notification, and vulnerability management. Regulated entities would also need a comprehensive and continuously updated inventory of information assets, with detailed information about ownership, controls, sensitivity levels, support, and recovery time requirements.
The existing regulation already required user access to be appropriately limited. Under the proposed revision, however, these limitations would need to be significantly more detailed. For example, access privileges could not exceed those required to fulfill job responsibilities and privileged accounts could be used only when necessary. Also, regulated companies would need to review privileges at least annually, configure remote access protocols securely, and withdraw an employee’s access swiftly following their departure. Further, multi-factor authentication would be broadly required, rather than merely recommended, for remote access to company information systems, third-party applications, and all privileged accounts that do not already have equivalent or more stringent controls.
Additionally, Class A companies must use automated methods to prohibit commonly used passwords and employ a dedicated privileged access management solution. Moreover, Class A companies would need to conduct an annual independent audit of their cybersecurity program and engage external experts for a full risk assessment every three years.
Increased Governance & Accountability
The updates also extend to company governance. A company’s board of directors or similar governing body, if it has one, would need to oversee and direct the company’s cybersecurity risk management, require executives to develop an appropriate cybersecurity program, and obtain sufficient knowledge to conduct oversight effectively, including, if necessary, by hiring experts. Executives must review and approve cybersecurity policies annually.
Financial institutions were already required to have a chief information security officer (“CISO”); that individual must now have the authority to direct resources to ensure cybersecurity risks are appropriately managed. Companies also must require the CISO to report any material issues to the governing body.
Enhanced Risk Assessments & Incident Planning
Risk assessments and preparedness are another area of the regulation that is set to expand. The regulation currently directs companies to establish a cybersecurity incident response plan that outlines steps to take in the event of a breach. That plan must now be proactive, with measures to investigate and mitigate incidents and ensure operational resilience via incident response, business continuity, and disaster recovery planning and identify and memorialize measures to mitigate the risk of breach and ensure operational resilience.
For example, companies must now conduct a penetration test that specifically covers internal and external attack vectors from both inside and outside the information systems’ boundaries, and develop automated scans or manual reviews to discover, analyze, and report on potential vulnerabilities. Under the proposed revision, companies should also establish a monitoring process that promptly notifies them of security vulnerabilities, remediates them, and documents material issues.
Records management professionals must work with their IT and security teams to develop plans that address each of these components for the information repositories they oversee and their role in the event of a security incident. This includes identifying the type of information that has been compromised, determining the extent of the breach and whether sensitive information is impacted, and reporting the breach to the appropriate authorities.
Recordkeeping and Records Management Professionals
As with any regulation, compliance cannot stop at implementation; it must also be well-documented. The current regulation requires companies to maintain records of their cybersecurity program and activities for at least five years. Under the proposed update, the scope of those records will increase. Records management professionals must ensure that these records are maintained in a secure and accessible manner. Companies must ensure that they have in place adequate policies and procedures for the storage, maintenance, and retention of cybersecurity records. Records also must be readily accessible to authorized parties and protected against unauthorized access, alteration, or destruction.
Conclusion
The updates to the NYDFS cybersecurity regulation further develop the minimum cybersecurity requirements for financial services companies that are licensed or registered by NYDFS. Records management professionals play a critical role in complying with the regulation by ensuring that sensitive information is properly protected, incident response plans are in place, and records are properly maintained and protected. By collaborating with other teams, especially IT and security, to develop and implement cybersecurity and related policies and procedures, records management professionals can help their companies satisfy NYDFS cybersecurity requirements and better protect sensitive information from cyber threats.
[1] https://dfs.ny.gov/system/files/documents/2022/10/rp23a2_text_20221109_0.pdf
Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.
Author: Frank Fazzio, IGP, CRM
Analyst / Licensed Attorney