Summary
Now in its fifth year, the NYDFS Cybersecurity Regulation is a standout among state-level information security regulations. This year, the NYDFS is investing additional resources into cybersecurity, with a new NYDFS Cyber Intelligence Unit formed in 2021, new ransomware guidance, and increasing enforcement. Compliance with the NYDFS Cybersecurity Regulation requires financial institutions to adopt a risk-based approach to information security. The regulation’s focus on mandating a risk-based process (rather than a specific outcome) that financial institutions must follow in building their information security programs will keep the regulation from becoming obsolete. This same flexibility, however, creates compliance and enforcement risk and uncertainty in the eyes of financial institutions’ business and legal stakeholders.
To help explore these concerns and introduce the recent NYDFS ransomware guidance, our panel addressed:
- NYDFS ransomware guidance update, including incident reporting
- NYDFS priorities in enforcing the Cybersecurity Regulation
- Risk-based approach to building information security programs that align with the regulation
Goodwin attorney Tony Alexis was joined by Heather Novitsky Vice President, Deputy General Counsel, LendingTree and Justin Herring, Executive Deputy Superintendent, Cybersecurity Division, NYDFS.