On Nov. 9, 2022, The New York Department of Financial Services (NYDFS) proposed critical new amendments for 23 NYCRR Part 500, a section of the DFS Cybersecurity Regulation requirements. Although the comment period has passed, as of Jan. 8, 2023, the policy updates are facing widespread scrutiny for how they could drastically increase the cost and difficulty for businesses and financial institutions to stay in compliance. Many organizations also feel there is less choice and more restriction in how they approach cybersecurity practices.
But outside of public opinion, there are many new key requirements to consider about the amendments.
Are you ready for the future of cybersecurity in NY?
In the new proposal, organizations and financial institutions within the relevant entities are now required to provide mandatory cybersecurity training to all employees. In addition, cybersecurity training must be kept up to date with the current threat climate and reviewed repeatedly throughout the fiscal year. Employees must be able to identify and take preventative action against cyber threats and phishing attempts.
Regular Penetration Testing
In the new proposal, organizations and financial institutions within the relevant entities are required to regularly perform penetration testing. This is a form of vulnerability testing for an organization’s cybersecurity program, simulating what it’s like to be hit by a breach by assigning an “ethical hacker” to attempt unauthorized access.
Incident Response Plan
In the new proposal, organizations and financial institutions within the relevant entities are required to create, practice and implement an incident response plan. An effective incident response plan must:
- Illustrate the incident response plan’s overall goals
- Designate responsibilities to employees and decision makers on all levels
- Clearly define response processes
- Contain information for who to contact, internally and externally, in the event of an attack or threat
In the new proposal, organizations and financial institutions within the relevant entities are required to regularly evaluate and assess the organization for potential weaknesses to test the effectiveness of its cybersecurity practices. Businesses must report on any detected security risks and risk controls, and after analyzing the results, formulate a plan to mitigate and address them. In addition to regularly performing risk assessments, businesses must also define its testing policies and procedures for review.
Chief Information Security Officer (CISO)
Likely the most controversial amendment to DFS Cybersecurity Regulation Requirements, organizations and financial institutions within the relevant entities are required to hire a qualified CISO. The CISO’s primary duties will be the creation and maintenance of the organization’s cybersecurity program. If they detect a security risk, CIOs will also be responsible for all reporting and communication duties.
Are you in compliance?
For small-to-medium organizations and businesses, stomaching another salary isn’t a possibility. Taking on an entirely new, regulated approach to cybersecurity doesn’t seem financially feasible, especially so suddenly during Q1 of the fiscal year.
But there are more options to preserve your IT budget and keep your doors open, but also remain within NY state compliance. Instead of taking the hit of a new paygrade, contact Acture Solutions. Using our customized IT services and security solutions, we’ll refer to the NIST Cybersecurity Framework to educate and prepare your organization.
Set up a call with us to learn more about keeping your business safe from threat actors and avoidable fines.