New York Introduces Stricter Cybersecurity Regulations with Emphasis on Ransom Payments and Board Oversight

New York has taken a decisive step in strengthening its cybersecurity regulations, adding stricter requirements that surpass recent federal rules. The New York State Department of Financial Services (DFS), responsible for overseeing various financial institutions, has introduced these enhanced cybersecurity regulations in response to the growing threat of cyberattacks, emphasizing the need for more robust protections.

Under these updated regulations, chief information security officers will have a central role in ensuring companies' compliance with the new rules and the enforcement of internal cybersecurity policies. Although some aspects of these rules align with the regulations recently endorsed by the U.S. Securities and Exchange Commission (SEC), New York's requirements delve into greater detail in certain areas.

A significant focus of the updated rules is on board oversight and ransom payments. Boards of directors or other senior committees must oversee cybersecurity risk management, maintain adequate expertise to understand cyber issues, and approve cybersecurity programs. It is also mandated that these programs have sufficient resources to function properly. The new regulations require regulated firms to report any ransom payments made to hackers within 24 hours.

These requirements come at a time when authorities are adopting a more stringent approach toward ransom payments, as illustrated by the Counter Ransomware Initiative, which aims to discourage the payment of ransoms when government systems are targeted. Although New York's rules do not prohibit ransom payments, they necessitate a detailed report to the agency, outlining the decision-making process that led to the payment and any other avenues considered.

Additionally, New York's regulations encompass stronger cybersecurity technology requirements, emphasizing the implementation of multifactor authentication and making cybersecurity an integral part of business continuity plans. Safety measures such as data backups must be routinely tested to ensure their effectiveness.

One unaltered rule is the requirement for companies to report cybersecurity incidents within 72 hours, starting from the moment they identify such incidents. However, the SEC's rules differ slightly, mandating reporting four days after a company determines that a cyber incident will be material to its business.

The DFS received over 1,200 responses regarding the proposed rule changes, with some suggesting alignment with other federal government rules such as the Cyber Incident Reporting for Critical Infrastructure Act. While lobbying groups urged harmonization between regulators on reporting regimes, the DFS stated that its existing standard was sufficient and already in good alignment with other relevant frameworks.

The GRC Report is the first word in governance, risk, and compliance news. As your trusted source for comprehensive coverage, the GRC Report keeps you informed and equipped to navigate the evolving landscape of governance, risk, and compliance. And remember, the GRC Report isn't just a news source; it's a community of professionals who share your passion for GRC excellence. Don't miss out on our insightful articles and breaking news – join the conversation and empower your GRC journey.