author photo
By Cam Sivesind
Mon | Nov 28, 2022 | 10:27 AM PST

The New York State Department of Financial Services (NYDFS) is proposing an amendment to its regulations that will require financial services companies to up their cybersecurity game.

Under the proposed amendment, the onus is placed upon corporate boards and executive leadership to:

  • Implement and maintain a written cybersecurity policy—approved annually—to protect information systems and nonpublic information stored on those systems
  • Designate a qualified individual (CISO or equivalent) responsible or overseeing and implementing a cybersecurity program and enforcing its cybersecurity policy
  • Require the CISO to provide a written report at least annually to the board or equivalent governing body
  • Require the CISO to report, in a timely manner, to the board on material cybersecurity issues, including updates to a company's risk assessment or major cybersecurity events
  • Develop and implement, as part of the cybersecurity program, written policies and procedures for vulnerability management assessing the effectiveness of the program

Cybersecurity programs shall limit user access privileges to information systems, limit the number of privileged accounts, at a minimum annually review all user access privileges, disable or securely configure all protocols that permit remote control of devices, and promptly terminate access following departures.

"These requirements are a great example of how cyber risk isn't purely a bits and bytes issue to be 'handled by the security team,'" Jamil Farshchi, EVP and CISO at Equifax, said in a LinkedIn post today about the NYDFS proposal. "It's a core responsibility of the board and management team."

In a comment to Farshchi's LinkedIn post, Becky Gaylord, a cybersecurity and data privacy consultant, had this to say:

"The NYDFS proposal validates communication as the linchpin between IT and C-suite/board of directors. Senior 'cyber deciphers' are now vital ~> Professional, experienced strategic communicators who also...
* Know crisis and issue management.
* Have Infosec certifications and passion for #cyber and #dataprivacy.
* Create strong content across channels.
* Smoothly translate technical information to any audience, from top executives to new employees.
These folks exist!"

The NYDFS proposed amendment is open for comment until January 9, 2023.

The amendment comes weeks after the State of New York announced it will be the first U.S. jurisdiction to require attorneys to complete one credit hour of cybersecurity, privacy, and data protection training as part of their biennial Continuing Legal Education (CLE).

The new accreditation requirement will go into effect July 1, 2023, and attorneys can begin earning credit as early as January 2023. Here are details on the new requirement from the New York State Unified Court System.

Comments