Cyber Insurance Blog

New Cyber Security Requirements for Financial Services Companies

Financial services companies—banks, credit unions, investment firms, insurance companies, and others—make enticing targets for cybercriminals. Globally, only the manufacturing sector sees more cyber attacks than the financial industry does.

The New York Department of Financial Services (NYDFS) established cyber security requirements for financial services companies in 2017. Since then, the cyber security landscape has changed. So have the steps financial services companies can take to protect themselves.

The NYDFS amended the financial services cyber security regulation known as “Part 500” in 2020. Now, the regulatory agency has amended it a second time. The newest changes went into effect Nov. 1, 2023.

You must understand these cyber security standards in banking and other financial services if you’re an insurance broker or agent working with the financial services industry. By adhering to them, institutions can better protect themselves and their customers from cyber incidents’ potentially devastating consequences.

Key Changes in Financial Services Cyber Security Regulation

Executive in financial services company smiles as she stands reviewing cyber security requirements on tablet computer. Some of the most notable changes in the amended cyber security requirements for financial services companies include:

Reporting a ransomware event to the NYDFS superintendent before determining the event’s impact.
Notifying the NYDFS, within 24 hours, when the covered entity makes extortion payments.
Supplementing, within 30 days, that initial notice with a more detailed description. The supplemental description must explain why payment was necessary, what alternatives the entity considered, and what diligence it completed to ensure legal compliance.
Filing an annual notice, through the CISO and highest-ranking executive, of compliance with the NYDFS; or acknowledging the entity did not comply with all requirements, has identified areas of noncompliance, and has planned for or completed remediation.
Reporting to the covered entity’s senior governing body on material cyber security issues (new responsibility of the CISO).
Confirming the senior governing body has sufficient understanding of cyber security issues and has allocated enough resources for an effective cyber security program.
Making business continuity and disaster recovery (BCDR) and incident response (IR) plans. All necessary personnel must have access to, training in, and testing on these plans.
Conducting more regular risk and vulnerability assessments, including at least annual external and internal penetration tests.
Providing at least annual cyber security training that anticipates social engineering attacks.

New Regulations for New “Class A Companies”

Cyber security expert sits at desk with keyboard and two computer monitors, reviewing financial services company’s risk. The amended cyber security regulations for financial services also create a new category of covered entities: “Class A companies.”

Class A companies have a gross income of at least $20 million in each of the last two fiscal years, and either more than 2,000 employees or more than $1 billion in gross annual revenue over the same time frame (500.1.(d)).

Class A companies must meet further requirements, including:

Conducting independent audits of their cyber security programs based on risk assessment.
Implementing a privileged access management (PAM) solution and automatically blocking commonly used passwords in order to control unauthorized access.
Conforming to specific endpoint protection requirements, including using an endpoint detection and response (EDR) solution and a centralized logging and security event alerting solution.

Become Your Financial Services Clients’ Trusted Cyber Expert

Cyber Insurance broker at conference table reviews cyber security requirements for financial services companies with clients. As technology continues to evolve, financial institutions must stay vigilant and proactive in maintaining robust cyber security.

Complying with regulations such as the NYDFS’s newly amended cyber security requirements for financial services companies is one essential way these organizations can mitigate and manage their cyber risk.

Indeed, they’re smart steps for any business—of any size, in any industry—to take.

Implementing the kind of strong cyber security controls and policies outlined in the NYDFS regulations not only reduces the risk of security breaches and data theft but also demonstrates a commitment to safeguarding sensitive information.

Additionally, adhering to such security controls can protect a business from potential legal and financial repercussions. It can ultimately help uphold its reputation and competitiveness in the marketplace.

Carrying the right amount of Cyber Liability Insurance is something else all businesses and organizations should do in light of today’s proliferating cyber threats.

At ProWriters, we help brokers and agents like you find, quote, and sell the Cyber Insurance your clients need. Our powerful Cyber IQ platform generates multiple quotes from leading carriers for side-by-side comparison in mere minutes.

We can also help you become your clients’ reliable and respected cyber risk management expert. They will turn to you for guidance in safeguarding their operations’ integrity and securing their customers’ trust.

To find out more, download your free copy of our special report, The Six-Step Guide to Becoming Your Clients’ Cyber Expert.