Last month, the New York Department of Financial Services finalized updates to a cybersecurity rule governing financial institutions that do business in the state. Here’s what banks and other institutions must know about the updated rule and what they should do in light of the new requirements.
New requirements for financial institutions
The update to the original 2017 rule — finalized Nov. 1, with many provisions taking immediate effect — introduces more stringent cybersecurity requirements for financial institutions operating in New York State, consistent with the overall push by federal and state regulators in recent years to better safeguard consumer data.
Under the updated rule, NYDFS-regulated financial institutions must:
-
Enhance their cybersecurity governance. Under the original rule, CISOs or their equivalents were required to report to boards about cybersecurity programs and material risks annually; they must now also report annually on plans for addressing material issues and report in a timely manner significant cybersecurity events and changes to programs. Boards are also required to be more directly involved in cybersecurity risk management, and organizations are…
