New York proposes updated cybersecurity regulation

New York’s Department of Financial Services is proposing to update and strengthen its 2017 cybersecurity regulation, the DFS said Thursday.

The department said in a statement its proposed amended regulation “strengthens the DFS risk-based approach to ensure cybersecurity risk is integrated into business planning, decision-making, and ongoing risk management.”

The current regulation requires insurers and other financial institutions to put in place controls to ensure a robust cybersecurity program. The department said in its statement it established a model that is now used by both federal and state regulators.

Among the changes introduced into the proposal is the creation of three tiers of companies, with companies with fewer than 20 employees and less than $5 million gross annual revenue in each of the last three years subject to fewer of its requirements.

The DFS has made the regulation “very flexible and adaptable to a company depending on its size, which is a great thing,” said Daniel S. Marvin, a partner with Kennedys Law LLP in New York.

Other proposed changes include:

— Enhancing governance requirements.

— Providing additional controls to prevent initial unauthorized access to systems.

— Requiring more regular risk and vulnerability assessment and more robust incident response planning.

— Directing companies to invest in regular training and cybersecurity awareness programs.

The 60-day proposed amendment is subject to a comment period that ends Jan. 9, 2023.