New York State Proposes Key Amendments to Cybersecurity Reg

August 4, 2022 at 12:13 pm Leave a comment

Late this past Friday, New York’s Department of Financial Services provided a notice of proposed amendments to the Department’s Cybersecurity Regulation (23 NYCRR 500).  This regulation applies to any state licensed or regulated institution and their affiliates.

These proposed changes are a big deal.  In 2017, New York promulgated its “first in the nation” – New York loves to be first– Cybersecurity Regulation which goes far beyond existing federal requirements.  Every year, state regulated institutions must certify that they are complying with this framework. As readers of this blog know, the State has moved aggressively against entities that have violated its provisions. 

Much of the proposal builds on existing requirements.  For example, regulated entities must already perform cybersecurity risk assessments, but the enhanced regulation will make this requirement more prescriptive by detailing that the assessments take into account “the specific circumstances of the covered entity, including but not limited to its size, staffing, governance, businesses, services, products, operations, customers, counterparties, service providers, vendors, other relations and their locations, as well as the geographies and locations of its operations and business relations. Risk assessments incorporate threat and vulnerability analyses, and consider mitigations provided by security controls planned or in place”.  

Regulated institutions must already have a Chief Information Security Officer (CISO).  This regulation further enhances the centrality of this role by mandating that CISOs “have adequate independence and authority to ensure cybersecurity risks are appropriately managed”.  This is incredibly general language to put in a regulation and at the very least should trigger a review of your credit union’s org chart. 

The existing regulation mandates penetration testing.  These changes mandate, among other things, that these tests be performed by a qualified independent party. 

But wait, there’s more.  I’m assuming that many of you already do this, but now you’ll be explicitly required to “implement written policies [and] procedures designed to ensure a complete, accurate, and documented asset inventory”.

As I already mentioned, the Department requires regulated entities to certify on an annual basis that they are complying with this regulation.  These certifications should not be taken lightly.  The proposed regulation includes new provisions in which entities will be asked to acknowledge if parts of their program don’t comply with this regulation.  Entities will have to provide a timeline for correcting these shortcomings. 

Larger regulated entities would be classified as Class A companies and subject to additional regulatory requirements:

  • Class A companies would be regulated entities with:
    • (1) over 2,000 employees, including those of both the covered entity and all of its affiliates no matter where located; or
    • (2) over $1,000,000,000 in gross annual revenue averaged over the last three fiscal years from all business operations of the covered entity and all of its affiliates.

There is more yours truly could discuss about this proposal, but time and space are running short.  Please designate someone to review these changes.  Remember, even if you’re not a state-chartered institution, New York’s regulation has had a nation-wide impact on cybersecurity standards.

On that note, I am off to the Long Island shorefront.  Enjoy your weekend.

Entry filed under: Compliance, New York State, Regulatory, Technology. Tags: , , , , .

Accounting And Cyber Security Highlight The Summer Regulatory Season

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed

Authored By:

Henry Meier, Esq., Senior Vice President, General Counsel, New York Credit Union Association.

The views Henry expresses are Henry’s alone and do not necessarily reflect the views of the Association. In addition, although Henry strives to give his readers useful and accurate information on a broad range of subjects, many of which involve legal disputes, his views are not a substitute for legal advise from retained counsel.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 785 other followers


%d bloggers like this: