New York's amendments to their cybersecurity regulations emphasize the importance of protecting customer data and maintaining financial system integrity. These updates highlight the need for businesses everywhere to prioritize cybersecurity in their operations.
This year, New York has made several new developments in cybersecurity, including their first Cybersecurity Strategy, and growing several departments related to stopping cybercrime (like the Computer Crimes Unit and the Cyber Analysis Unit).
Earlier this month, New York made several amendments to their cybersecurity regulations. The first version of cybersecurity regulations (called 23 NYCRR Part 500) in the state were made in 2017 and enacted by the Department of Financial Services. The regulations were first amended in April 2020, but only to change the date of required annual certification filing. Considering the huge changes in the cybersecurity landscape and the rise of more sophisticated, expensive cyberattacks, it’s no surprise that the state decided to amend the document.
Echoing the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), 23 NYCRR Part 500 includes a 72-hour reporting requirement for third-party service providers if the cybersecurity incident has significant material effects. Other important improvements include:
- Improved rules and management
- Extra safety measures to stop unauthorized access to information systems and to stop or control the damage of an attack
- The need for regular checks on risk and weaknesses, as well as stronger planning for dealing with incidents, continuing business, and recovering from disasters
- New rules for issuing alerts, including a brand new rule to report payments made because of ransomware attacks
- Fresh instructions for businesses to spend on yearly training and business-specific programs to increase awareness about cybersecurity
Though many of the changes went into effect on November 1st, 2023, there are different transition periods for certain requirements, with some taking effect in late April 2024. In an announcement, Governor Kathy Hochul said that these amendments are part of an ongoing mission of “ensuring that financial institutions have the safeguards in place to protect vital customer data and maintain the integrity of our financial system”. The updated regulations now place more responsibility on businesses to make use of cybersecurity protections that are relevant to the size and type of business.
Though New York was not the first state to develop its own Cybersecurity Strategy, it’s possible that these amendments may propel New York’s cybersecurity regulations to be truly “nation-leading”. This progression by New York marks a significant milestone, but it is also a clear reminder for businesses everywhere to keep cybersecurity at the forefront of their operational and strategic plans. Digital integrity is no longer optional - it's a mandate.