The New York Department of Financial Services (NYDFS) Cybersecurity Regulations came into full effect in March 2019, outlining requirements to make sure organizations are implementing effective cybersecurity programs and proactively addressing risk. These original requirements included having a CISO, encrypting sensitive data, and ensuring processes are in place to deal with data breaches.
However, things could soon be changing. On November 9th 2022, the NYDFS shared updates to proposed changes to the original regulations that will affect all organizations working in the New York financial sector – including new email security requirements. Here’s what you need to know.
What could be changing?
The proposed amendments are in response to recent major cyber attacks like the Colonial Pipeline attack, as well as supply chain issues like Log4j. The changes are currently in a 60-day public comment period. If agreed, the regulations will come into effect midway through 2023 and apply to all of the same organizations as the current NYDFS Cybersecurity Regulations.
The amendments include enhanced requirements for privileged accounts, stricter notification obligations, and expanded cyber governance practices. The proposed changes will also create a new class of organizations known as ‘Class A companies’ with over 2,000 employees or over $1 billion in gross annual revenue (averaged over the last two fiscal years) which will be subject to even stricter regulations.
The amendments also describe specific technical and admin controls for common vulnerabilities. The changes call for further compulsory controls to combat the three most common vectors for gaining access to an organizations’ systems: unpatched software, misconfigured remote desktop protocols (RDP), and phishing emails.
How will anti-phishing requirements change?
Mandatory controls and best practices will be brought in to address phishing emails – one of the most common ways risk is introduced into organizations. In an effort to address phishing, the proposed amendments will require businesses to monitor and filter emails to block malicious content. The amendments will also require employees to receive cybersecurity awareness training that includes social engineering exercises.
These changes increase the risk of organizations falling victim to a double-helping of negative impact in the event of a phishing attack. On top of the reputational and operational fallout of a phishing breach, they’ll run the risk of a NYDFS fine if their defenses are found to not be up to standard.
More regulation means more compliance risk – and the NYDFS have a history of handing out significant fines. A recent ruling from the NYDFS announced that Robinhood Crypto LLC had to pay a $30 million penalty to the state of New York for breaching cybersecurity regulations. In 2020 they also fined First American Title Insurance Co. for allegedly exposing sensitive customer data.
With the update to anti-phishing requirements, it’s vital to have email security in place – but not all solutions offer the same level of protection. To remain compliant, organizations need email security solutions such as Egress Defend that can detect the most sophisticated social engineering attacks.
How Egress Defend helps you stay compliant
Egress Defend is the part of our intelligent cloud email security platform that protects against advanced phishing attacks. It integrates seamlessly into Microsoft 365, augmenting Microsoft’s security by detecting and neutralizing the sophisticated threats that evade its native controls. This includes attacks from compromised accounts, sophisticated impersonation attempts, payloadless attacks, and heterogenous attacks.
Defend uses a combination of intelligent technologies, including machine learning, social graph, and natural language processing to detect and neutralize inbound phishing threats. This also allows the software to learn email behavior patterns to protect against future social engineering. Additionally, its self-learning technology enables it to detect emerging threats, while minimizing administration overhead.
A key element of Defend is its power to improve employees’ security awareness through real-time teachable moments. Contextual, color-coded warning banners are embedded into emails, dynamically signaling the level of risk. User friction is only introduced when someone is about to fall victim to a phishing attack, with awareness training reinforced by clear explanations of in-the-moment risk.