Strengthened Cybersecurity Regulations in New York: What It Means for Businesses

In an ever-evolving digital landscape, cybersecurity remains a paramount concern for both individuals and businesses alike. New York’s Department of Financial Services (DFS) has recently taken a significant step forward in addressing these concerns by issuing updated and strengthened cybersecurity regulations. These new regulations build upon the foundation laid out in 2017 and introduce several key changes to enhance cybersecurity measures and safeguard sensitive data. As leaders in network exposure analytics, we’re here to shed light on the implications of these regulations, what they mean for businesses of all sizes, and how to prioritize security by reducing vulnerability. 

Three tiers for different companies 

One of the notable changes in these updated regulations is the introduction of a tiered approach for companies. These tiers classify companies based on their size, with specific requirements tailored to size and cybersecurity capabilities. Companies with fewer than 20 employees and less than $5 million in gross annual revenue over the last three years will be subject to fewer cybersecurity requirements. This more nuanced approach acknowledges that smaller companies may have different cybersecurity capabilities and resources compared to larger enterprises. 

Enhanced governance and access control 

The new regulations place significant emphasis on governance and access control. Companies will now be required to implement enhanced governance measures to ensure the protection of sensitive data. Additionally, there are new controls in place to prevent unauthorized access to systems and mitigate the spread of cyberattacks. This is a crucial step in fortifying the first line of defense against potential breaches. 

Regular risk assessments and incident response 

Risk assessment is a fundamental component of any robust cybersecurity strategy. The updated regulations mandate more regular risk and vulnerability assessments, reflecting the ever-changing nature of cyber threats. Moreover, companies must strengthen their incident response, business continuity, and disaster recovery planning. This ensures that businesses are prepared to handle and recover from cyber incidents efficiently, minimizing the potential impact on operations and data integrity. 

Ransomware reporting 

Ransomware attacks have become a growing concern for organizations worldwide. Regulations issued in New York now require companies to report ransomware payments. This change is in line with the broader effort to increase transparency and help law enforcement agencies track and combat ransomware threats effectively. 

Investment in training and awareness 

One of the most critical aspects of cybersecurity is human behavior. To strengthen this front, the regulations direct companies to invest in at least annual training and cybersecurity awareness programs. These programs should anticipate social engineering attacks, which often target employees as the weakest link in a company’s cybersecurity defenses. 

Looking ahead 

New York’s updated cybersecurity regulations raise the bar for cyber resilience. By providing a tiered approach that recognizes the diversity of businesses, enhancing governance and access controls, emphasizing regular risk assessments, and promoting cybersecurity awareness, these regulations aim to protect businesses and individuals from the ever-present threat of cyberattacks. 

While these regulations mark a significant step forward in bolstering cybersecurity, businesses must also stay proactive in adapting to emerging threats. Being proactive with vulnerability prioritization is essential for any organization to effectively manage and mitigate cybersecurity risks. 

Cybersecurity is an ongoing process, and compliance with regulations is just the beginning. Will other states follow New York’s lead? RedSeal will watch and report should any additional states update cybersecurity regulations. 

RedSeal recommends organizations transition from defensive to proactive security.  Businesses should continually assess their security posture, stay informed about the latest threats, and invest in comprehensive cybersecurity solutions to ensure they remain protected in an increasingly digital world.  

Reach out today for more information on how RedSeal can support your business with proactive vulnerability prioritization.