NYAMB Legislative Update! DFS Cybersecurity Regulation Updates and Reminders

New York Association of Mortgage Brokers

NYAMB LEGISLATIVE UPDATE!

DFS Cybersecurity Regulation Updates and Reminders

July 2024

In 2023, the Department of Financial Services (DFS) amended its Cybersecurity Regulation. To assist entities throughout the rollout of the regulation, DFS is providing regular updates on important information and helpful resources.

Here is what you need to know this month.

ICYMI: Annual Compliance Submissions Due April

As a reminder, covered entities were required to submit their annual compliance submissions (either a Certification of Material Compliance or an Acknowledgement of Noncompliance) for calendar year 2023 by April 15, 2024. If not yet submitted, covered entities can still submit their annual compliance notifications through the DFS portal.

The annual compliance submission must be signed by the highest-ranking executive and Chief Information Security Officer (or, if the entity does not have a CISO, the senior officer in charge of cybersecurity). Covered entities that qualify for full exemptions from the Cybersecurity Regulation do not have to submit annual compliance notifications.

On April 29, 2024, additional requirements became effective under the amended regulation, including updates related to Risk Assessments (Section 500.9), Cybersecurity Policies (Section 500.3), Cybersecurity Awareness Training (Section 500.14(a)(3)), and Vulnerability Management (Section 500.5(a)(1), (b), and (c)).

For more information about the latest requirements, visit the Cybersecurity Resource Center.

New Requirements Take Effect in November

In November 2024, additional requirements become effective under the amended Cybersecurity Regulation. Entities that have not already done so are encouraged to begin planning for implementation. As of November 1, 2024, the following requirements will be effective for all covered entities, except those that qualify for an exemption.

Cybersecurity Governance: CISOs’ written reports to senior governing bodies must be updated to include plans for remediating material inadequacies. In addition, CISOs will be required to timely report to senior governing body or senior officers on material cybersecurity issues, such as significant cybersecurity events and changes to the cybersecurity program. Entities’ senior governing bodies will be required to exercise oversight of cybersecurity risk management. (Section 500.4)
Encryption of Nonpublic Information (NPI): Effective November 2024, entities will be required to implement a written policy requiring encryption that meets industry standards; effective alternative compensating controls for encryption of NPI in transit over external networks can no longer be used; and use of effective compensating controls for encryption of NPI at rest approved by the CISO may continue to be used, but that approval must now be in writing. (Section 500.15)
Incident Response and Business Continuity Management: Incident response plans continue to be required, but they must be updated as specified. Business continuity and disaster response plans that are reasonably designed to address a cybersecurity-related disruption as specified must also be in place. Covered entities must also train all employees involved in the plans’ implementations, test plans with critical staff, and revise plans as necessary; test the ability to restore critical data and information systems from backups; and maintain and adequately protect backups necessary to restore material operations. (Section 500.4)

Learn more about the additional requirements: Exempt and Partially Exempt Entities | Standard Entities | Class A Entities

Smaller entities can determine if they have an exemption via the Cybersecurity Resource Center’s Part 500 Exemptions section or via the "Am I Exempt" flowchart. The next set of requirements for exempt entities is available on the DFS website.

New Resources Available

DFS’s most thorough cybersecurity resource is the Cybersecurity Resource Center, which features tools and information for businesses of all sizes. There you will find the regulation text, NEW FAQs for cybersecurity professionals and attorneys, training resources, and more.

This month, the Department added two new resources to help entities understand if they qualify for an exemption or if they qualify as a Class A business. DFS also recently released its Cybersecurity Program Template to help small businesses build cybersecurity programs.

|WWW.NYAMB.ORG | #NYAMB #NYMORTGAGEBROKERS #NYWHOLESALEMORTGAGE