Post Brexit Complaince
On Nov. 9, 2022, the New York Department of Financial Services (NYDFS) issued a proposed second amendment to its 2017 cybersecurity regulation for financial service companies. Most of the proposed changes will take effect 180 days after final regulation adoption, likely soon after the comment period closes on Jan. 9, 2023, making most new regulations effective after July 8, 2023. The proposed amendments move beyond administrative and technical safeguards to granular regulations on cybersecurity governance and risk management. New Requirements for All Covered Entities:
Grant CISOs authority to manage cybersecurity risks appropriately, including the ability to direct sufficient resources to implement and maintain a cybersecurity program, and require that the CISO report to the senior governing body on any material cybersecurity issues. The Board of Directors, or similar managerial body, must annually approve the written cybersecurity policy which must include policies regarding data retention, asset disposition, security awareness and training, breach notification, encryption requirements for nonpublic information, and vulnerability management. Develop written vulnerability management policies and procedures, including: annual penetration testing inside/outside information systems’ boundaries; automated scans of information systems (manual review of systems not covered by scans)[3]; continuous monitoring for security vulnerabilities; and document material issues found during testing and report issues to the senior governing body and senior management. Conduct at least annually a user access privilege review, promptly terminate access after employee departures, and implement a written password policy that meets industry standards. MFA implemented for remote access to all privileged accounts (admin or security accounts), as well as to access the entity or third-party applications (including cloud based) which host nonpublic information. Maintain an asset inventory of all hardware and software, including their location and accessibility. Implement controls that protect against malicious code, including on web traffic and email to block malicious content,[6] and provide at least annual training with social engineering exercises to all employees. At least annually, test the ability to restore systems from network-isolated backups[7], and test and revise as needed their BCDR plan & IRP (including disruptive events like ransomware). The 72-hour notification requirement for cybersecurity events now requires entities to report events affecting them which occur at or within third-party service providers. Covered entities must now report if they experience a cybersecurity event involving ransomware. The certification now includes a written acknowledgement that provides remediation plans and a timeline for their implementation.
Link: https://postbrexitcompliance.com/2023/01/07/blog-nydfs-proposed-a-second-amendment-to-its-cybersecurity-regulation-the-national-law-review/