Cybersecurity Regulations’ Second Amendment: Important Update

As we are coming to the end of 2022, it’s important to stay updated with potential changes to our ever-evolving market of cybersecurity. In late July of 2022, the New York Department of Financial Services (NYDFS) published the pre-proposed second amendment to its Cybersecurity Regulations, 23 NYCRR 500. The state regulation is publicly referred to as “Part 500” and it was introduced in 2017, with new mandatory cybersecurity and risk management regulations for sensitive organizations such as banking, law, insurance and more. In its original version, Part 500 introduced new rigorous principles and regulations to enhance cybersecurity procedures in such sensitive organizations. Such principles demanded higher maintenance of security policies and the eventual creation of the new industry role, the Chief Information Security Officer (CISO).  

Expected changes in security protocols

Should the second amendment of part 500 go into effect, we expect several key updates and even changes to the cybersecurity market. Since DDoS mitigation has become the most talked about field in the market, due to the rising number of worldwide DDoS attacks, we expect a drastic change in protocols and regulations regarding DDoS mitigation. It’s important to note that these regulations, if and when they come into effect, will only be implemented in the US. But one can assume that if a drastic change in the cyber industry is successful in the US, the global market standard regarding increasing visibility into critical vulnerabilities might see a shift.   

Some of the most notable updates and changes in the second amendment are the updated definition for “Class A” companies, detailing new standards for executive management involvement, expanding on third-party service providers, defining security policies for mutual work, and more. What is very relevant in the amendment, in terms of DDoS mitigation for financial services companies, are articles that discuss the responsibilities of the CISO, and updated protocols for an overall cybersecurity program and monitoring.  

Additional reporting, better DDoS awareness

According to the second amendment of part 500, the CISO would be obligated to report about remediation efforts and update on their organization's mitigation protocols. These reports would be annual, with the possibility of reporting twice a year. The CISO would need to detail information that is considered nonpublic, and also provide extensive details regarding the organization’s security program’s effectiveness, efforts, protocols and mitigation results. As the number of successful DDoS attacks increases, one might imagine that reporting about weak mitigation and a vulnerable attack surface may result in harsh consequences.  

The second amendment of part 500 details new policies for cybersecurity programs, monitoring and training. An organization in the specific fields mentioned would be required to maintain an updated mitigation plan, that includes industry-standard encryption, mitigation effectiveness reports, and go through an annual review on said reports. In addition to the overall security program, organizations must increase employee training and monitoring of the attack surface and environments. These efforts should set a collective standard for the industry in the US, and should the amendment go into effect, the entire DDoS mitigation market.  

What can you do to be prepared against a DDoS attack? 

At MazeBolt, we see the evolution of DDoS attacks in the fields of banking, financial services, gaming, and insurance, not just in the US, but worldwide. The updated second amendment’s recommendations are natural, as networks become more complex on the one hand, and on the other, DDoS attacks are evolving to become more sophisticated and severe in the damage they cause enterprises. Digital environments are evolving at a rapid pace. There are assets in many organizations’ networks that are not properly configured, managed, or even up to date. If traditional mitigation vendors are not updated on these changes, they cannot effectively protect such networks. The lack of adequate offensive testing results offers limited protection and zero visibility into the organization’s true DDoS readiness. Thus, there indeed needs to be an updated protocol for cybersecurity, that should be effective for the industry, the market, and the vendors. We will continue to update about Part 500 in the US, as we find their recommendations to be important. Stay tuned!