NYSDA Publications

DFS Issues Cybersecurity Update

Nov 4, 2024

Per the notice below, the New York State Department of Financial Services (DFS) has issued an update on its cybersecurity regulations.  While dental practices are not under DFS jurisdiction with respect to DFS cybersecurity regulations, it is interesting to note the direction that DFS is moving with respect to the entities it does regulate on cybersecurity.

Cybersecurity Regulation Updates and Reminders 

November 2024
On November 1, 2023, the Department of Financial Services (DFS) issued its amended Cybersecurity Regulation.  To assist entities of all sizes throughout the rollout of the regulation, DFS is providing regular updates on important information and helpful resources.  Here is what you need to know in November 2024: 
  • New Cybersecurity Regulation Requirements Now in Effect
  • ICYMI: AI Cybersecurity Guidance
  • Introducing Cybersecurity Refresher Video Series

New Cybersecurity Regulation Requirements Now in Effect

On November 1, 2024, the next set of requirements under the Cybersecurity Regulation took effect.  Below, see requirements that now must be implemented, tailored by the type of regulated entity and exemption status.  The "Am I Exempt" flowchart is designed to help businesses determine their exemption type.  New requirements impacting Class A and Standard companies:

  1. Cybersecurity Governance: CISOs must include plans for remediating material inadequacies, among other information, in written reports to senior governing bodies at least annually.  In addition, CISOs are now required to timely report to senior governing bodies or senior officers on material cybersecurity issues, such as significant cybersecurity events and changes to the cybersecurity program.  Entities’ senior governing bodies are required to exercise oversight of cybersecurity risk management.  (Section 500.4)
  2. Encryption of Nonpublic Information (NPI): Entities are now required to implement a written policy requiring encryption that meets industry standards.  Entities may no longer use effective alternative compensating controls for encryption of NPI in transit over external networks; however, entities may use effective alternative compensating controls for encryption of NPI at rest provided that the compensating controls are reviewed and approved in writing by the CISO at least annually.  (Section 500.15)
  3. Incident Response and Business Continuity Management: Incident Response (IR) plans continue to be required, but they must be updated to address additional criteria and tested at least annually.  Business Continuity and Disaster Response (BCDR) plans that are reasonably designed to address a cybersecurity-related disruption as specified must also be in place.  Covered entities must train all employees involved in the plans’ implementations, test plans with critical staff, and revise plans as necessary; test the ability to restore critical data and information systems from backups; and maintain and adequately protect backups necessary to restore material operations.  (Section 500.16)

Small businesses with partial exemptions also have new requirements.  All covered entities except those that qualify for full exemptions and those that qualify for partial exemptions under 500.19(c) or 500.19(d) must now have the following implemented:

  1. Multi-Factor Authentication (MFA): Covered entities that have not already done so are required to implement MFA for any remote access to their information systems, remote access to third-party applications where NPI is accessible (including cloud applications), and to privileged accounts.  (Section 500.12(a))
  2. Cybersecurity Training: At least annually, entities must provide cybersecurity awareness training to all personnel that covers social engineering, such as phishing, business e-mail compromises, and techniques enhanced by AI, like deepfakes.  (Section 500.14(a)(3))

Learn more about the November 2024 requirements: Class A Entities | Standard Entities | Exempt and Partially Exempt Entities

ICYMI: AI Cybersecurity Guidance

During Cybersecurity Awareness Month, DFS issued new guidance to help New York’s financial services sector identify and assess cybersecurity risks arising from AI.  The guidance outlines specific cybersecurity risks associated with the use of AI, how to use the framework of the DFS Cybersecurity Regulation to combat and mitigate those risks, and the substantial cybersecurity benefits that can be gained when organizations integrate AI into their cybersecurity program.  This guidance does not impose new requirements.  Rather, it helps DFS-regulated institutions to understand their existing obligations to assess and address and the evolving risks arising from AI.  Read the guidance on the DFS website.

Introducing Cybersecurity Refresher Video Series 

The Department is rolling out a series of video refreshers to help entities better understand the Cybersecurity Regulation and its requirements.  The first videos help small businesses that qualify for partial exemptions by detailing the November 2024 requirements.
MFA video

Watch:  Multi-Factor Authentication | Cybersecurity Awareness Training

Contact Us

ICYMI: Reminders from DFS

Last week, the following advisory was sent to CISOs at DFS-regulated entities: Cybersecurity Advisory – Threats Posed by Remote Technology Workers with Ties to Democratic People’s Republic of Korea.  To get regular cybersecurity updates delivered to your inbox, subscribe to Cybersecurity Updates.  For additional questions related to the Cybersecurity Regulation, e-mail DFS’s Cybersecurity team at: cyberregsupport@dfs.ny.gov.  Visit the Cybersecurity Resource Center for all of DFS’s cybersecurity tools and guidance.