New York Department of Financial Services Announces Updated Cybersecurity Regulation – ComplyAdvantage

A Guide to Anti-Money Laundering for Crypto Firms
Insights New York Department of Financial Services Announces Updated Cybersecurity Regulation
On November 9, 2022, the New York Department of Financial Services (DFS) proposed amendments to its Part 500 Cybersecurity Rules in response to increasingly sophisticated technologies and threats to financial institutions. Building on draft amendments released in July, the formally announced updates commence a 60-day comment period ending on January 23, 2023.
Originally published in 2017, the DFS cybersecurity regulation established a regulatory model for state and federal financial regulators. To safeguard sensitive customer data and promote the integrity of the information technology systems, covered entities must assess their cybersecurity risk profiles and deploy a comprehensive plan that identifies and mitigates that risk. 
With FinCEN reporting ransomware-related incidents increasing by over 50% from 2020, DFS proposed these amendments to ensure regulated entities protect consumers and businesses by addressing new threats with the best practices and most effective controls. According to Superintendent of Financial Services Adrienne A. Harris, “it is critical that […] regulation keeps pace with new threats and technology purpose-built to steal data or inflict harm.” 
The updates aim to strengthen the department’s risk-based approach, ensuring cybersecurity risk is integrated into decision-making, business planning, and ongoing risk management. The proposed amendments include the following:
While ransomware remains a top cyber risk for organizations worldwide, business email compromise (BEC) scams are also rising in light of the shift to remote working, increasing digitization, and sophisticated “deep fake” technology. Recent cases of this fraud type include three Nigerian nationals’ alleged participation in multimillion-dollar cyber-enabled BEC fraud schemes and Instagram influencer “Hushpuppi” being sentenced to over 11 years in federal prison for bank cyber-heists, BEC schemes, and other online frauds.
Strengthening cybersecurity defenses against the rise of malicious cyber activity was highlighted as a priority of the Biden administration in its Interim National Security Strategic Guidance released in March 2021. Since then, the government has helped fund the “Sheild’s Up” initiative, run by the Cyber Infrastructure Security Agency (CISA). At its core, the initiative recommends:
FinCEN has previously issued guidance for financial institutions regarding their reporting obligations of cyber events under the Bank Secrecy Act (BSA). If an organization knows, suspects, or has reason to suspect that a cyber event was intended, it should be considered part of an attempt to conduct a suspicious transaction. 
When filing a suspicious activity report (SAR), FinCEN also reminds firms to select SAR field 42 (Cyber event) as the associated suspicious activity type. Additionally, firms should include any relevant technical cyber indicators related to the activity and associated transactions within the available structured cyber event indicator SAR fields 44(a)-(j), (z).
Compliance staff should also take note of the joint cybersecurity advisories and alerts issued by the FBI, CIA, and Department of the Treasury earlier in 2022. In addition to highlighting observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs), the advisories recommend implementing the following cybersecurity measures:

Stay on top of regional trends and novel criminal techniques so you can protect your business from financial crime.
Originally published November 18, 2022, updated November 18, 2022
Disclaimer: This is for general information only. The information presented does not constitute legal advice. ComplyAdvantage accepts no responsibility for any information contained herein and disclaims and excludes any liability in respect of the contents or for action taken based on this information.
Copyright © 2022 IVXS UK Limited (trading as ComplyAdvantage).
ComplyAdvantage is not a consumer reporting agency and the services (and the data provided as part of its services) do not constitute a ‘consumer report’ for the purposes of the Federal Fair Credit Reporting Act (FCRA), 15 U.S.C. sec. 1681 et seq. The data we provide to you may not be used, in whole or in part, to: make any consumer debt collection decision, establish a consumer’s eligibility for credit, insurance, employment, government benefits, or housing, or for any other purpose authorized under the FCRA. If you use any of any of our services, you agree not to use them, or the data, for any purpose authorized under the FCRA or in relation to taking an adverse action relating to a consumer application.



Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top

Adblock Detected

Please consider supporting us by disabling your ad blocker

Refresh Page