The New York Department of Financial Services (NYDFS) has published a proposal to amend its cybersecurity rules, which will require regulated companies to notify the NYDFS of a third-party cybersecurity incident within 72 hours.
A draft version of the proposal released earlier this year required financial institutions to notify regulators about such incidents within 72 hours. This newer proposal, includes this notice requirement, along with an amendment that notice be provided to NYDFS within 24 hours of making a ransom payment to hackers. Furthermore, financial institutions will be required to outline why a ransom payment was necessary, which alternatives were considered, and how federal sanctions implications were assessed.
In addition, the proposals mandate boards of directors at financial institutions to have more oversight into the organization's cybersecurity risks. Boards at banks, insurance companies, and other financial institutions meeting a certain size threshold, will be required to approve cyber policies. Also, financial institutions will have to disclose whether their boards have expertise to oversee cybersecurity risks or identify if they will rely on outside consultants. These mirror the proposed requirements from the Securities and Exchange Commission (SEC).
The proposed amendments are subject to a 60-day comment period before they are further revised or finalized.
“With cyber-attacks on the rise, it is critical that our regulation keeps pace with new threats and technology purpose-built to steal data or inflict harm. Cyber criminals go after all types of companies, big and small, across industries, which is why all of our regulated entities must comply with these standards – whether a bank, virtual currency company, or a health insurance company,” New York Department of Financial Services Superintendent Adrienne Harris said in a statement.