New York Department of Financial Services Announces Updated Cybersecurity Regulation

On November 9, 2022, the New York Department of Financial Services (DFS) proposed amendments to its Part 500 Cybersecurity Rules in response to increasingly sophisticated technologies and threats to financial institutions. Building on draft amendments released in July, the formally announced updates commence a 60-day comment period ending on January 23, 2023.

Originally published in 2017, the DFS cybersecurity regulation established a regulatory model for state and federal financial regulators. To safeguard sensitive customer data and promote the integrity of the information technology systems, covered entities must assess their cybersecurity risk profiles and deploy a comprehensive plan that identifies and mitigates that risk. 

With FinCEN reporting ransomware-related incidents increasing by over 50% from 2020, DFS proposed these amendments to ensure regulated entities protect consumers and businesses by addressing new threats with the best practices and most effective controls. According to Superintendent of Financial Services Adrienne A. Harris, “it is critical that […] regulation keeps pace with new threats and technology purpose-built to steal data or inflict harm.” 

Proposed Amendments to Cybersecurity Regulation

The updates aim to strengthen the department’s risk-based approach, ensuring cybersecurity risk is integrated into decision-making, business planning, and ongoing risk management. The proposed amendments include the following:

• Requiring covered entities to contact DFS within 72 hours of a third-party service provider cybersecurity event and respond within 90 days to any requests by DFS related to its investigation of the event
• Enhanced governance requirements to increase cybersecurity accountability at the Board and C-Suite levels   
• Additional controls to prevent unauthorized access to technology systems and mitigate the spread of an attack 
• Increase the size threshold of smaller companies that are currently exempt from many parts of the regulation    
• Requiring more regular risk assessments and more robust disaster recovery planning

• Directing firms to invest in regular cybersecurity awareness and training programs relevant to their personnel and business model   

Cybersecurity Defenses

While ransomware remains a top cyber risk for organizations worldwide, business email compromise (BEC) scams are also rising in light of the shift to remote working, increasing digitization, and sophisticated “deep fake” technology. Recent cases of this fraud type include three Nigerian nationals’ alleged participation in multimillion-dollar cyber-enabled BEC fraud schemes and Instagram influencer “Hushpuppi” being sentenced to over 11 years in federal prison for bank cyber-heists, BEC schemes, and other online frauds.

Strengthening cybersecurity defenses against the rise of malicious cyber activity was highlighted as a priority of the Biden administration in its Interim National Security Strategic Guidance released in March 2021. Since then, the government has helped fund the “Sheild’s Up” initiative, run by the Cyber Infrastructure Security Agency (CISA). At its core, the initiative recommends:

• Taking steps to quickly detect a potential intrusion
• Ensuring that the organization is prepared to respond if an intrusion occurs
• Maximizing the organization’s resilience to a destructive cyber incident

Key Takeaways

FinCEN has previously issued guidance for financial institutions regarding their reporting obligations of cyber events under the Bank Secrecy Act (BSA). If an organization knows, suspects, or has reason to suspect that a cyber event was intended, it should be considered part of an attempt to conduct a suspicious transaction. 

When filing a suspicious activity report (SAR), FinCEN also reminds firms to select SAR field 42 (Cyber event) as the associated suspicious activity type. Additionally, firms should include any relevant technical cyber indicators related to the activity and associated transactions within the available structured cyber event indicator SAR fields 44(a)-(j), (z).

Compliance staff should also take note of the joint cybersecurity advisories and alerts issued by the FBI, CIA, and Department of the Treasury earlier in 2022. In addition to highlighting observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs), the advisories recommend implementing the following cybersecurity measures:

• Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud)
• Prioritize remediating known exploited vulnerabilities 
• Regularly provide employees with training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities (i.e., ransomware and phishing scams)  
• Regularly back up data and password-protect backup copies offline
• Enable and enforce multifactor authentication (MFA)