This regulation has since passed in a final form. Click here to read about the final regulation and any changes from what was proposed.
On July 29, 2022, the New York Department of Financial Services (NYDFS) released a series of amendments to its cybersecurity regulations, which, when approved, will affect financial institutions that fall under its governance. These new guidelines include setting standards for notification periods following suspicious activity on privileged accounts, updates to risk assessments, and using multifactor authentication processes for private accounts.
What do these proposed amendments mean for your third-party risk management program? What risks might your vendors pose regarding these new regulations. And, what does your team need to do to ensure vendor compliance?
Understanding the Proposed NYDFS Cybersecurity Amendments
As we've seen over the past several months, regulators are looking for the best ways to implement protections and defend against cybercriminals. Considering this trend, the new proposed amendments to the NYDFS' Part 500 Cybersecurity Regulations attempt to bolster cybersecurity practices, reporting methods, and risk assessments. These improvements will aid in safeguarding financial institutions from cyberattacks, preserve privacy, and protect sensitive information.
Several of the key takeaways from these proposed amendments include:
- Updating cybersecurity processes and risk assessments
All institutions that fall under NYDFS' governance need to have a cybersecurity program which must follow several best practices including using multifactor authentication for privileged accounts, restricting access to sensitive information, eliminating unnecessary accounts and access, monitoring passwords to ensure strength, and creating a comprehensive asset inventory.
At a minimum, risk assessments must also be completed annually and include information such as the entity's size, location, products or services, subcontractors/fourth parties, and governance. - Imposing new notification periods and incident response plans
It’s proposed that the notification window be shortened following a cyberattack to ensure that the appropriate officials receive notice of a cyberattack. The proposed amendments would require institutions to notify NYDFS within 72 hours following unauthorized access to privileged accounts or other incidents that would necessitate intervention from a supervisory body or impede normal business operations.
In addition, covered entities will be required to have business continuity and disaster recovery plans in place. These plans must differentiate based on the type of incident and must contain specific information, including communication channels for essential stakeholders, plans for backing up infrastructure and data, and identifying essential personnel and materials needed to maintain operations. - Implementing new obligations for board members and governing entities
The amendments require a strict focus on expert knowledge or enlisting subject matter experts to advise on cybersecurity measures. All institutions will be required to have a chief information security officer (CISO), or equivalent, to manage cybersecurity risks and review the security controls. The CISO will be charged with reporting their findings to the board and offering solutions to present risks.
Third Parties and Their Compliance
With third-party data breaches and cyberattacks becoming a more serious threat across all industries, your vendors must follow the proper guidelines and regulations. Financial institutions must comply with these updated amendments. Therefore, an organization's third-party risk management team will need to consider its vendors' ability to meet these expectations.
Your organization is responsible for complying with these proposed amendments and your vendors may play a larger role in your cybersecurity strategy than you initially think. Consider whether your vendors will notify you with enough time following an incident so that you can notify the proper supervisors. How often do your vendors audit and update their policies? Do the vendors utilize multifactor authentication tools and limit access to privileged accounts and sensitive information only to include the necessary stakeholders? What happens if there is a data breach? Or, a malicious actor gains access to sensitive information?
Updating your organization's policies and procedures is only the first step. You must work with your vendors to ensure they take the necessary actions to comply with the amended regulations. You must ensure that your vendors follow the appropriate guidelines, or you may face significant legal and regulatory consequences.
Questions to Consider When Assessing Your Vendors’ Compliance
No matter what industry you operate in or what regulatory requirements your vendors must meet, your organization will be held liable if they don’t. Ensure that your vendors can comply with your policies and procedures to avoid legal action, fines, and other damages.
When assessing your vendors and their compliance, consider the following questions:
- How does the vendor access and use your data?
- What processes are in place to protect your customers and their sensitive information?
- What is the vendor's notification policy following a data breach or other security threat?
- Are your vendor's operations consistent with the industry's regulations and laws?
- How often do they risk assess and reassess their vendors?
- How often does your vendor assess its cybersecurity measures?
- What controls does the vendor have in place to meet the updated rules?
- Does your vendor stay updated on the latest regulations and legislation?
After assessing your vendor, you must verify if the vendor can meet the new requirements. Suppose the vendor's controls do not meet the requirements. In that case, it may be time to consider offboarding and replacing the vendor before any security events occur.
As regulators update their requirements, your organization must make the necessary adjustments to ensure compliance and ensure that its vendors have the appropriate controls to meet the new requirements. Failure to meet the new regulatory requirements puts your organization at great risk and increases your likelihood of regulatory fines and legal action.