Article
New York Department of Financial Services updates cybersecurity requirements for financial services organizations
Aug 09, 2022 · Authored by John Romano, Christopher J. Tait, Russell Sommers
Update: June 14, 2023: The proposed Second Amendment to the New York Department of Financial Services (NYDFS) Cybersecurity Regulation, 23 NYCRR Part 500, was published in the New York State Register on November 9, 2022 and comments were due by January 9, 2023. Comments are in the process of being reviewed. Our financial services and cybersecurity specialists will be updating this article once updates are available from the NYDFS.
On July 29, 2022, the New York Department of Financial Services (NYDFS) released Draft Amendments to its Part 500 Cybersecurity Rules. Here are the quick takeaways:
- Creation of a category of covered “Class A” entities, including those with 2,000 or more employees or over $ billion in revenue.
- New compliance obligations for these Class A covered entities include:
- annual independent audits of the company’s cyber program,
- weekly vulnerability scanning with reporting of material identified gaps to management and the board,
- the implementation of a security incident and event incident management (SIEM) solution coupled with endpoint detection/alerting, and
- the implementation of a password vaulting solution including automated blocking of commonly used passwords were added.
- The proposed amendment adds clarity to the requirements for risk assessments, asset management, access control, several layers of information security governance (CISO, BoD), required policies, procedures and plans, testing of organizational response plans and updated protocols for correspondence with the Superintendent (certifications and event notification).
- Those with exposure to the NYDFS Cyber Law should begin assessing how these proposed changes will impact their organization to better align their cyber program with these new requirements. Baker Tilly’s cybersecurity and regulatory specialists can help you navigate what the new amendments, if adopted, may mean for your organization and how to prepare.
Access a wealth of information on how Baker Tilly’s cybersecurity and financial services specialists can assist you and your organization.
Read our case study
Multinational organization seeks complex information technology and cybersecurity review