New Yorks Latest Cyber Rules Pressure Small Companies Vendors

p Connecting decision makers to a dynamic network of information people and ideas Bloomberg quickly and accurately delivers business and financial information news and insight around the world ppAmericas1 212 318 2000 ppEMEA44 20 7330 7500 ppAsia Pacific65 6212 1000 pp Connecting decision makers to a dynamic network of information people and ideas Bloomberg quickly and accurately delivers business and financial information news and insight around the world ppAmericas1 212 318 2000 ppEMEA44 20 7330 7500 ppAsia Pacific65 6212 1000 ppAs another cybersecurity compliance deadline hits in New York the impact may be most deeply felt by smaller companiesas well as vendors and other businesses outside the financial sector that technically arent within scope of the regulationppThe New York Department of Financial Services NYDFS latest Cybersecurity Regulation amendments go into effect Thursday for financial banking and insurance entities and theyre among the most technical and granular requirements yet ppSome of the amendments call for mature inhouse cyber teams reliable thirdparty vendor solutions as well as technology and process investments cyber attorneys said While most big companies have a headstart on compliance many smaller businesses and vendors to the largest companies face a more uphill implementationppCompanies that arent in scope for example but that sell products to covered entities may soon be contractually expected to follow similar stringent standards Smaller businesses such as insurance producers or agents that recently registered in the state may also be surprised to find themselves pressed to comply with the most comprehensive state cyber requirements in the US ppThis set is some of the more technical setand perhaps thats why companies were given more time to deal with them said Michael T Borgia lead of Davis Wright Tremaine LLPs information security group in the technology communications and privacy and security practiceppNYDFSs cybersecurity rules have been rolled out in phases since they were updated in 2023 Cybersecurity requirements going into effect May 1 largely solidify security industry standardsbut they also bolster the leading state cyber regulators enforcement ammunition ppDespite their somewhat limited jurisdiction they see their charge as biggeras having a real effect on the financial services industry writ large said Borgia who represents clients in telecommunications financial services cloud computing and information technology sectorsppSome companies have already flagged concerns over New Yorks heightened regulationsppChubb Ltd which provides commercial and personal property insurance disclosed in February that NYDFSs cyber rule increased its compliance costs and could increase the risk of noncompliance regulatory enforcement and reputational risk Financial services company Ally Financial Inc healthcare marketplace GoHealth Inc and global banking group Santander Holdings USA among others also pointed to the regulators cyber rules this year as an area of risk that increases the complexity and costs of operationsppThe cybersecurity rule covers any person operating under or required to operate under a license registration accreditation or similar authorization under the states Banking Law the Insurance Law or the Financial Services Lawa fairly large category that includes everything from health insurers to credit unions foreign banks and mortgage providers ppThe NYDFS split requirements due before May 1 depending on company size All covered entities need to conduct automated scans of their systems and manually review systems not covered by these scans to identify vulnerabilities They also need to implement enhanced requirements around access privileges controls to protect against malicious code and a reasonable written password policyppBusinesses of all sizes also need to disable or securely configure protocols that permit remote control of devicescommonly used by IT help desks in many companies ppThis is really challenging because this is a threat vector that cyber criminals use all the time said Michelle A Reed cochair of Paul Hastings LLPs data privacy and cybersecurity group which has helped private equity and other investment firms implement the regulation ppClass A companies face additional demands These are defined as businesses with more than 20 million in annual revenue in the last two years stemming from operations in the state and that either have more than 2000 employees or over 1 billion in annual revenue in the last two years from business operations beyond the stateppThose businesses will also have to implement endpoint detection and response solution to monitor suspicious activity as well as a centralized solution to log security event alerts These often require companies to purchase thirdparty solutions that they then have to deploy across their entire ecosystemppTheres a lot of work that is involved in executing these things Reed said noting that many businesses started working on implementing these many years agoppLarge companies must also bolster access processes including implementing a privileged access management PAM solution The additional demands seek to address a trend of cyber criminals exploiting privileged usersmeaning the select employees within companies that have access to certain sensitive accounts or datappAll of these things cost money and so now theyre saying if youre really a big player here we are going to mandate that you have this Reed said ppThe amendments come two weeks after covered entities were required for the first time to file attestations of compliance with most of the amendments They will have to attest to their complianceor noncompliancewith this batch of requirements in April 2026 ppLarge mature organizations probably have the vast majority of these steps in place and if they dont theyve been cutting corners said Erik Dullea head of Husch Blackwell LLPs cybersecurity group ppThe next few weeks will bring another set of compliance hurdlesppBeginning Nov 1 companies will have among other requirements to mandate the use of multifactor authentication for all individuals accessing businesses information systems Chief Information Security Officers CISOs will be able to advocate for alternative controls if they can show theyre reasonably equivalent or more secure and those will have to be reviewed annuallyppWhile many businesses already deploy some sort of multifactor authentication system many dont yet require it And most havent addressed how to handle customers who resist taking the extra security measureppThats where it gets hard Borgia said and everyone struggles with itppTo contact the reporter on this story Cassandre Coyer in Washington at ccoyerbloombergindustrycomppTo contact the editors responsible for this story Jeff Harrington at jharringtonbloombergindustrycom Catalina Camia at ccamiabloombergindustrycom David Jolly at djollybloombergindustrycompp AIpowered legal analytics workflow tools and premium legal business news pp Log in to keep reading or access research tools p