Skip to main content
FoxPointe FoxPointe
  • Services
    • Cyber Risk, Assurance and Compliance
    • IT Audit
    • Penetration Testing
    • General Consulting
    • Virtual Chief Information Security Officer (vCISO)
  • About Us
    • Management Team
    • Credentials
    • Careers
  • Resources
    • Events
    • News
    • Videos
    • Whitepapers
  • Blog
  • Contact Us
FoxPointe
  • Services
    • Cyber Risk, Assurance and Compliance
    • IT Audit
    • Penetration Testing
    • General Consulting
    • Virtual Chief Information Security Officer (vCISO)
  • About Us
    • Management Team
    • Credentials
    • Careers
  • Resources
    • Events
    • News
    • Videos
    • Whitepapers
  • Blog

Enter Keywords

  1. Home
  2. Blog

FoxPointe Security Hub

Proposed Changes to NYSDFS Cybersecurity Rule for Financial Institutions

August 9, 2022

New York State Department of Financial Services (NYSDFS) has proposed several changes to the existing 23 NYCRR Part 500 – Cybersecurity Requirements for Financial Services Companies (the Cybersecurity Regulation or Part 500). They include items such as:

  • Classification of “Class A” companies, which are those with over 2,000 employees or over $1 billion in gross annual revenue (as an average over three years). These Class A companies will need to meet new requirements such as annual independent audits and risk assessments, new password expectations, more frequent vulnerability scanning and more.
  • Definition of a “Covered Entity”, which means any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law, including entities that are also regulated by other government agencies.
  • Increased expectation of CISO independence and reporting to the Board.
  • New requirements for Asset Inventorying and the policies and procedures that support the program.
  • Multifactor authentication for all privileged accounts.
  • New reporting requirements for extortion payments and ransomware events.

 

NYSDFS offered a 60-day comment period for feedback on the proposal, followed by 180 days post publishing of the final rule to implement the changes. FoxPointe will continue to monitor the proposal as it reaches its various stages and amendments. We currently recommend the proposed changes are monitored by your Privacy and Security Officers.  

The current draft amendments to Part 500 are available for full review on the Department of Financial Services website https://www.dfs.ny.gov/industry_guidance/regulations/outreach_fsl

Cybersecurity Alert Cybersecurity  
Share
Twitter Facebook LinkedIn
  • Topics
  • Authors
  • Data Security (12)
  • Data Privacy (15)
  • Compliance (4)
  • Risk Management (7)
  • Cybersecurity Alert (7)
  • Cybersecurity (25)
  • Archive (34)
  • Charlie Wood | PCI QSA, CISA, CRISC, CISM
  • Carl Cadregari | CISA, CCSFP, CTPRP
  • Allison Hall | PCIP, CCSFP
  • Courtney Caryl | CCSFP, CHQP
  • Andrew Parks | PCI QSA
Let us show you how we can help
Request Quote
FoxPointe

171 Sully's Trail
Pittsford, NY 14534

Call 844-726-8869
or Contact Us

Subscribe to the Blog

Services
Cyber Risk, Assurance and ComplianceIT AuditPenetration TestingGeneral ConsultingVirtual Chief Information Security Officer (vCISO)
Company
Management TeamAbout UsBlogCareersPrivacy Policy
©2023 FoxPointe
Website by Corporate Communications, Inc.
We use cookies and other technologies to optimize site functionally, analyze website traffic, and share information with our service and analytics partners. To view our Privacy Policy, which discusses cookies, click here. By continuing to use & browse our services, you agree to our Privacy Policy, our use of cookies, and the Terms and Conditions.