Article

New York Department of Financial Services updates cybersecurity requirements for financial services organizations

On July 29, 2022, the New York Department of Financial Services (NYDFS) released Draft Amendments to its Part 500 Cybersecurity Rules. Here are the quick takeaways:

  • Creation of a category of covered “Class A” entities, including those with 2,000 or more employees or over one billion dollars in revenue.
  • New compliance obligations for these Class A covered entities include:
  1. annual independent audits of the company’s cyber program,
  2. weekly vulnerability scanning with reporting of material identified gaps to management and the board,
  3. the implementation of a security incident and event incident management (SIEM) solution coupled with endpoint detection/alerting, and
  4. the implementation of a password vaulting solution including automated blocking of commonly used passwords were added.
  • The proposed amendment adds clarity to the requirements for risk assessments, asset management, access control, several layers of information security governance (CISO, BoD), required policies, procedures and plans, testing of organizational response plans and updated protocols for correspondence with the Superintendent (certifications and event notification).
  • The pre-proposal comment period ends August 8, 2022 with the official publishing and 60 day comment period likely in the near future.

Those with exposure to the NYDFS Cyber Law should begin assessing how these proposed changes will impact their organization to better align their cyber program with these new requirements. Baker Tilly’s cybersecurity and regulatory specialists can help you navigate what the new amendments, if adopted, may mean for your organization and how to prepare.

John Romano
Partner
Christopher J. Tait
Principal
Russell Sommers
Director
Two women planning together on a laptop
Next up

The seven dimensions of successful program design and execution