Banks and other financial companies regulated by New York's top financial regulator have six months to implement new governance, reporting and training requirements designed to improve their cybersecurity postures.
Among the New York State Department of Financial Services' new requirements, regulated entities including banks will soon have 24 hours to report extortion payments made in connection with a ransomware event and 30 days to provide an explanation of why the bank made the payment.
Under the new regulations, banks must also implement multifactor authentication for anyone with access to any of the bank's information systems, with limited exceptions. This means both bank employees and bank customers will need to use multifactor authentication to log in.
The new rules are designed to ensure financial institutions "have the safeguards in place to protect vital customer data and maintain the integrity of our financial system," according to Governor Kathy Hochul. The new regulations respond to rising numbers of cyberattacks, according to New York State Superintendent of Financial Services Adrienne Harris.
"Expanded use of proven protections such as multifactor authentication will be required while maintaining the risk-based flexibility of the landmark cybersecurity regulations," Harris said.
In
"Where relevant and appropriate given its mission, the department harmonized its requirements with other regulations and frameworks," the NYDFS document said. "For example, the Cybersecurity Regulation emphasizes governance controls in alignment with NIST CSF 2.0."
The latest draft emphasizes integrating cybersecurity into core governance functions and broadens its scope beyond just critical infrastructure sectors. It also offers guidance on dealing with novel threats, such as newer strains of ransomware.
These updated governance controls require boards to take on greater responsibility in their banks' cybersecurity efforts, specifying that they "shall exercise oversight" of the bank's cybersecurity risk management.
To do this, boards must now have "sufficient understanding" of cybersecurity-related matters, "which may include the use of advisors." The new regulations also saddle boards with the responsibility of receiving and reviewing management reports about cybersecurity and confirming the bank has allocated sufficient resources toward cybersecurity.
The new regulations also set forth new reporting requirements. If a bank makes an extortion payment to a ransomware actor, the bank will have 24 hours to tell NYDFS it made such a payment and 30 days to explain its decision. That follow-up must explain why the payment was necessary and the due diligence the bank performed to ensure the payment did not violate the Office of Foreign Assets Control's sanctions.
Despite the new multifactor authentication rules, NYDFS did leave room for a bank's chief information security officer (CISO) to approve alternatives to multifactor authentication, as long as those alternatives are at least as secure. While the regulation does not specifically mention passkeys, which are
A passkey is a digital credential that can be used to authenticate with an application. Passkeys are usually generated and stored on a user's computer or phone, then synchronized with the user's other devices with end-to-end encryption. Multiple design elements of the passkey also combine to make it phishing-resistant, including the fact that it's based on
The new rules also put an extra onus on "Class A" companies, which generally include banks that have at least $20 million in gross annual revenue. Such large banks must block employees and customers from using common passwords; implement endpoint detection and response; centralize their logging and security and event alerting; and conduct independent audits of their cybersecurity programs.
Most of the new regulations go into effect 180 days from the effective date of November 1, with some exceptions. For example, banks must start reporting ransom payments by December 1, and the new board governance requirements will not take effect for another year.