Today I attended a presentation by the superintendant and deputy superintendent of New York State Department of Financial Services. A lot of infomration was provided and we intend on making multiple posts based on the infromation we learned.

As a first step, here are the implementation dates provided by DFS. In general this is for “standard” non-exempt organizations. Where possible we will outline requirements for covered entitites with limited exemptions.

December 1, 2023

• New reporting requirements, particularly around ransomware payments

  • Payments must be reported within 24 hours

  • Covered entities have 30 days to explain the reason for the payment, the decision making process, and impacts on other regulations such as the Office of Foreign Asset Controls

  • Third-party breaches must be reported

  • If a covered entity reports an incident to any governmental agency, even outside New York, DFS must also be notified

April 15, 2024

• The CISO must sign any complaince attestaions. If the CISO is outsourced, the senior officer responsible for supervising the CISO must attest instead

April 29, 2024

• Internal and External Penetration Testing must be completed annually or after major systems changes

• Covered Entitites must have a “monitoring process in place to promptly inform of new security vulnerabilities”

• Covered Entities must place a priority on remediation of vulnerabilities and do so in a timely manner

• Risk Assessment requires expand and must be updated annually

• Policies must be expanded and updated annually

• Cybersecurity training must be provided to all employees at least annually to also include social engineering training (i.e. phishing training)

November 1, 2024

• Limited exemption covered entities must:

  • Implement Multi-Factor Authentication (MFA) on:

    • All remote access

    • All external third-party systems

    • privileged accounts

  • Provide security awareness training to all employees at least annually (it should be noted there is no requirement for social engineering training)

• Increased encryption requirements

  • Encryption policies

  • Must consider all forms of encryption, not just encryption across an external network

  • CISO can approve reasonable compensating controls

• CISO must

  • Report to the board on any material inadequecies of the cybersecurity program

  • Report any material cybersecurity issues to the board

• The board must:

  • “excercise oversight of the risk management program”

  • Must have sufficient understanding of cybersecurity or be advised by professionals that do

• Incident Response Plans must be updated, reviewed and tested

• Business Continuity and Disaster Recovery (BCDR) plans must be updated and reviewed annually

  • Employees must be trained on BCDR procedures

• The covered entity must maintain backups and test the restoration of critical data and systems

May 1, 2025

• Limit access privileges using “Role Based Access Controls” and the “Principle of Least Privileges”

• Prompty deactive inactive accounts, including those of employees who seperate from the company

• Disable unneccesary services and protocols

• Implement a password policy based on “industry best practices”

• Conduct automated vulnerability scans “at the frequency determined by the risk assessment”

• Protect again malicious code, including anti-malware on all systems, web filtering, and email filtering

November 1, 2025

• For “standard” non-exempt organizations implement MFA for all individuals on all systems

  • It should be noted this requirement does not mention anything about whether or not the system can access Non-Public Information (NPI)

  • The CISO can approve compensating controls that provide equievelant or superior protection

• Implement an Assess Managament/Inventory system