US Regulators Enhance Information Security Requirements for Financial Services providers
The New York Department of Financial Services (NYDFS) announced extensive amendments to its cybersecurity requirements for financial institutions on November 1, 2023. The amendments are intended to address the evolution in the cybersecurity landscape:
Key changes in the amended regulation include:
- Enhancing requirements related to vulnerability management, access controls, and the use of encryption;
- Requiring the implementation of policies and procedures related to business continuity and disaster recovery;
- Updating cybersecurity incident notification requirements, including a new requirement to report ransomware payments; and
- Requiring additional controls to prevent unauthorized access to information systems;
- Providing prescriptive requirements related to the use of multi-factor authentication;
- Amending the scope of the exemptions and enforcement provisions under the regulation.
The amended requirements will take effect in phases, with some having already come into force on November 1, 2023.
Mazharul Islam,
Corporate Legal Practitioner,
Member of Harvard Business Review Advisory Council.
He can be reached at mazhar@insightez.com
