The NYDFS’ 23 NYCRR Part 500 has been updated to reflect the current preventative and responsive measures necessary for Financial Services org to be ready for cyber attacks.
I first covered this proposed “first in the nation” cybersecurity requirements regulation affecting the financial services sector doing business in New York state back in 2017. It has served as a basis for other industry sectors and locales for the last six years.
This month, the NY DFS announced an update to the cybersecurity regulation that will “mandate new controls, require more regular risk assessments, update notification requirements to enhance protections for New Yorkers.”
The updated cybersecurity codes, rules, and regulations (the “CRR” in “23 NYCRR Part 500”) includes some specific updates worth mentioning:
- Enhanced governance requirements
- Additional controls to prevent initial unauthorized access to information systems and to prevent or mitigate the spread of an attack
- Requirements for more regular risk and vulnerability assessments, as well as more robust incident response, business continuity, and disaster recovery planning
- Updated notification requirements including a new requirement to report ransomware payments
And, my personal favorite…
- Updated direction for companies to invest in at least annual training and cybersecurity awareness programs that anticipate social engineering attacks and that are otherwise relevant to their business model and personnel
Here at KnowBe4, we know that annual trainings have little-to-no impact on increasing the cyber vigilance of an organization’s users; it’s only through continual security awareness training that users are able to (as stated above in the official list of updates) “anticipate social engineering attacks” that are the initial attack vector for a much larger financial service-related cybercrime.
Even if you’re not in the financial services sector, nor in New York state, the regulation is worth a read to better understand how to properly ensure a heightened state of cyber readiness.
KnowBe4 enables your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.
New-school Security Awareness Training is critical to enabling you and your IT staff to connect with users and help them make the right security decisions all of the time. This isn't a one and done deal, continuous training and simulated phishing are both needed to mobilize users as your last line of defense. Request your one-on-one demo of KnowBe4's security awareness training and simulated phishing platform and see how easy it can be!
