NYDFS News & Updates - CardinalsByte
- Jan 3, 2024
- 3 min read
#NYDFS CyberSecurity Requirements have updated, the two major changes for 2023 and forward. Amendments to New York’s First-In-The-Nation Cybersecurity Regulations Will Mandate New Controls, Require More Regular Risk Assessments, Update Notification Requirements to Enhance Protections for New Yorkers .
FIRST CHANGE
The vulnerability assessments were already required under the previous version of the NYDFS cybersecurity regulations, the amendment requires:
Covered entities: (a) conduct, at a minimum:
(2) automated scans of information systems
A manual review of systems not covered by such scans, for the purpose of discovering, analyzing and
reporting vulnerabilities at a frequency determined by the risk assessment, and promptly after any material system changes[.]”
All Changes should be captured and documented
This is important because in order to comply with NYDFS Current Rules in this section of the regulations you will need to:
Have a comprehensive inventory of all of the assets that exist in your environment. (Security Plans)
Know which assets your current vulnerability management solution is capable of scanning, and which assets it is not capable of scanning.
Understanding the Assets you have, will give you the information you need to know which asset you will need to perform MANUAL REVIEW on Annually.
In order to reduce the Manual Review, it Important to have a SIEM or SOAR vulnerability management tool that is capable of monitoring and scanning as many systems as possible in your security posture.
SECOND CHANGE
CardinalsByte Assessment Tool can help with identifying your systems environment and Security posture and it will allow you to plan and scope out the effort required to comply with the NYDFS Current Rules. Identifying which systems and assets are needed for the continued functioning of those critical functions is the first step, once an attack happens.
The timely remediation of vulnerabilities, being able to prioritize the vulnerability based on a risk score and what level of risk they posted on a covered entity.
Vulnerability management solutions commonly assign a risk score to each identified vulnerability based on factors such as its severity, potential impact, and likelihood of exploitation. This helps you prioritize which vulnerabilities need to be addressed more urgently. However, vulnerability management solutions don’t always understand or take into account
Enhanced governance requirements;
Additional controls to prevent initial unauthorized access to information systems and to prevent or mitigate the spread of an attack;
THIRD CHANGE
CardinalsByte offers Written Security Plans to get you in compliance with the rules and regulations. Our incident Response plans are custom tailored to your needs and align with Standards in the industry and NYDFS Current Rules.
What is critical about this requirement is the amount of time it takes for your to get back into business. 2023 Ransomware Attacks cost major casino chains to be shut-down for a week costing over $100M ransom paid to get their data back.
Requirements for more regular risk and vulnerability assessments, as well as more robust incident response, business continuity, and disaster recovery planning;
Identifying, Responding and Documenting is a critical component if Incident Response Plan.
Updated notification requirements including a new requirement to report ransomware payments.
FOURTH CHANGE :
CardinalsByte Offers CyberSecurity Training that will create awareness, build confidence and get everyone Involved in Protecting Company most important Asset "DATA" for NYDFS Current Rules
The updates focuses in on being proactive, instead of reactive, with the direction for companies to invest in at least annual training and cybersecurity awareness programs that anticipate social engineering attacks and that are otherwise relevant to their business model and personnel.
Comments