New York State Department of Financial Services (NYSDFS) has proposed several changes to the existing 23 NYCRR Part 500 – Cybersecurity Requirements for Financial Services Companies (the Cybersecurity Regulation or Part 500). They include items such as:

• Classification of “Class A” companies, which are those with over 2,000 employees or over $1 billion in gross annual revenue (as an average over three years). These Class A companies will need to meet new requirements such as annual independent audits and risk assessments, new password expectations, more frequent vulnerability scanning and more.
• Definition of a “Covered Entity”, which means any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law, including entities that are also regulated by other government agencies.
• Increased expectation of CISO independence and reporting to the Board.
• New requirements for Asset Inventorying and the policies and procedures that support the program.
• Multifactor authentication for all privileged accounts.
• New reporting requirements for extortion payments and ransomware events.

NYSDFS offered a 60-day comment period for feedback on the proposal, followed by 180 days post publishing of the final rule to implement the changes. FoxPointe will continue to monitor the proposal as it reaches its various stages and amendments. We currently recommend the proposed changes are monitored by your Privacy and Security Officers.  

The current draft amendments to Part 500 are available for full review on the Department of Financial Services website https://www.dfs.ny.gov/industry_guidance/regulations/outreach_fsl