Article
New York Department of Financial Services updates cybersecurity requirements for financial services organizations
Aug. 10, 2022 · Authored by John Romano, Christopher J. Tait, Russell Sommers
Update: June 14, 2023: The proposed Second Amendment to the New York Department of Financial Services (NYDFS) Cybersecurity Regulation, 23 NYCRR Part 500, was published in the New York State Register on November 9, 2022 and comments were due by January 9, 2023. Comments are in the process of being reviewed. Our financial institution and cybersecurity specialists will be updating this article once updates are available from the NYDFS.
They are more than consultants. The Baker Tilly team raised the quality of our internal audit and risk management functions and helped us through the change management required to ensure success. We are extremely pleased with their work.Craig Campbell, Chief Administrative and Risk Officer, WPS Health Solutions, Wisconsin Physicians Service Insurance Corp.
On July 29, 2022, the New York Department of Financial Services (NYDFS) released Draft Amendments to its Part 500 Cybersecurity Rules. Here are the quick takeaways:
- Creation of a category of covered “Class A” entities, including those with 2,000 or more employees or over $ billion in revenue.
- New compliance obligations for these Class A covered entities include:
- annual independent audits of the company’s cyber program,
- weekly vulnerability scanning with reporting of material identified gaps to management and the board,
- the implementation of a security incident and event incident management (SIEM) solution coupled with endpoint detection/alerting, and
