More NY Cybersecurity Rules for Financial Entities Take Effect Nov. 1
Financial institutions should note the final set of New York state cybersecurity requirements taking effect Nov. 1, Hogan Lovells attorneys blogged Wednesday.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
The updated New York Department of Financial Services (NYDFS) requirements “for all covered entities consist of expanding multi-factor authentication … and adopting written procedures for creating and maintaining information system asset inventories,” wrote Nathan Salminen and three other lawyers at the firm. “The regulation grants a limited exemption to the multi-factor authentication requirement only for certain covered entities with employees, revenue, or assets falling under defined thresholds.”
The first set of requirements under the second amendment to NYDFS cybersecurity requirements for financial services companies took effect in November 2023. States are increasingly filling a federal void regulating financial institutions’ cybersecurity, Cooley lawyers said in July (see 2507310038).
Earlier this week, NYDFS issued guidance to covered entitites related to third-party service providers (TPSPs). "The growing scale and complexity of cyber risks posed by TPSPs demands a proactive, risk-based, and continuously adaptive approach to third-party governance," it said.
Fisher Phillips lawyers blogged Thursday, "It likely means that the agency is going to increase its scrutiny on the topic in the near future. It also stands to reason that the agency will expect covered businesses to provide evidence of their third-party risk management reviews that line up with the new guidance."