As covered in our previous article, the New York Department of Financial Services (NYDFS) updated its Cybersecurity Regulation in 2023. To help entities roll out the changes and new requirements, they have provided phased timelines for when these items must be implemented by.

Some of these additional requirements were required by April 29, 2024. Those controls were related to Risk Assessments (Section 500.9), Cybersecurity Policies (Section 500.3), Cybersecurity Awareness Training (Section 500.14(a)(3)), and Vulnerability Management (Section 500.5(a)(1), (b), and (c)).

Now that autumn has begun, it is time to start planning for the sections of the Cybersecurity Regulation that will be required in the coming months. In November 2024, additional requirements become effective under the amended Cybersecurity Regulation. Entities that have not already done so are encouraged to begin planning for implementation.

As of November 1, 2024, the following requirements will be effective for all covered entities, except those that qualify for an exemption:

1. Cybersecurity Governance: CISOs’ written reports to senior governing bodies must be updated to include plans for remediating material inadequacies. In addition, CISOs will be required to timely report to senior governing bodies or senior officers on material cybersecurity issues, such as significant cybersecurity events and changes to the cybersecurity program. Entities’ senior governing bodies will be required to exercise oversight of cybersecurity risk management. (Section 500.4)
   
   
2. Encryption of Nonpublic Information (NPI): Effective November 2024, entities will be required to implement a written policy requiring encryption that meets industry standards; effective alternative compensating controls for encryption of NPI in transit over external networks can no longer be used; and use of effective compensating controls for encryption of NPI at rest approved by the CISO may continue to be used, but that approval must now be in writing. (Section 500.15)
   
   
3. Incident Response and Business Continuity Management: Incident response plans continue to be required, but they must be updated as specified. Business continuity and disaster response plans that are reasonably designed to address a cybersecurity-related disruption as specified must also be in place. Covered entities must also train all employees involved in the plans’ implementations, test plans with critical staff, and revise plans as necessary; test the ability to restore critical data and information systems from backups; and maintain and adequately protect backups necessary to restore material operations. (Section 500.16)

If you have any questions on the amendments or would like your program reviewed for efficacy, please contact the Avalon Cyber team.