BY JACK DWECK
New York State announced new cybersecurity regulations at the start of November that are designed to combat this past year’s rise in cyber attacks, including the addition of more frequent reporting rules for businesses, more risk assessments, and investment in more training programs.
“New York has always led the way in protecting businesses and consumers from online threats,” said Governor Kathy Hochul, “and with these amendments to our nation-leading cybersecurity regulations, we are continuing to set the national standard.”
On November 1st, Governor Hochul announced that the New York Department of Financial Services had amended its cybersecurity regulations, 23 NYCRR Part 500, in order to “enhance cyber governance, mitigate risks, and protect New York businesses and consumers from cyber threats.”
These amendments were made after the state was hit by multiple cyber attacks in places such as hospitals, where a huge amount of sensitive information about hundreds of people is stored. In 2022, there were over 25,000 reported cyber incidents in New York, costing the state $775 million. In 2023, there have been 953 reported cyberattacks so far.
The NYDFS updated regulations that were first enacted on August 28th, 2017, where companies under their jurisdiction had to reporting any cybersecurity event if it impacted the covered entity, or if it has a reasonable likelihood to harm the entity’s normal operation. The newly added parts require businesses to report any ransomware cases that come up, add more controls to prevent initial unauthorized access to information systems, mandating more frequent risk and vulnerability assessments, and having companies invest more in annual training and cybersecurity awareness programs.
Companies that end up making extortion payments connected to a cyber event must report it within 24 hours of making it. In addition, the affected entity must send a written description within 30 days of the event that explains why making the payment was necessary, what alternatives to payment were considered, the effort to find these alternatives, and efforts made to comply with rules and regulations including those from the Office of Foreign Assets Control.
“These updated cybersecurity regulations strengthen New York’s leadership in smart, effective cyber policy,” New York State Chief Cyber Officer Colin Ahern said on the NY Gov site. “The new rules build on our risk-based approach to integrate cybersecurity with enhanced governance, more robust access controls and assessments, updated reporting rules including for ransomware, and requirements for personnel training. These regulations raise the bar for cyber resilience.”
Regulated entities have until April 29th, 2024, to comply with these new guidelines. However the new reporting requirements will take effect much sooner–on December 1st, 2023. In order to help these companies comply with them on time, the NYDFS will be hosting training programs for them over the next few weeks on November 30th and December 7th.