New York Department of Financial Services updates cybersecurity requirements for financial services organizations

On July 29, 2022, the New York Department of Financial Services (NYDFS) released Draft Amendments to its Part 500 Cybersecurity Rules. Here are the quick takeaways:

• Creation of a category of covered “Class A” entities, including those with 2,000 or more employees or over $ billion in revenue.
• New compliance obligations for these Class A covered entities include:

1. annual independent audits of the company’s cyber program,
2. weekly vulnerability scanning with reporting of material identified gaps to management and the board,
3. the implementation of a security incident and event incident management (SIEM) solution coupled with endpoint detection/alerting, and
4. the implementation of a password vaulting solution including automated blocking of commonly used passwords were added.

• The proposed amendment adds clarity to the requirements for risk assessments, asset management, access control, several layers of information security governance (CISO, BoD), required policies, procedures and plans, testing of organizational response plans and updated protocols for correspondence with the Superintendent (certifications and event notification).
• Those with exposure to the NYDFS Cyber Law should begin assessing how these proposed changes will impact their organization to better align their cyber program with these new requirements. Baker Tilly’s cybersecurity and regulatory specialists can help you navigate what the new amendments, if adopted, may mean for your organization and how to prepare.