The New York State Department of Financial Services (NYDFS) is updating the 23 NYCRR 500 regulation titled “Cybersecurity Requirements for Financial Services Companies.” Companies have one year to comply with the updated regulation, which encompasses the following:
Asset inventory
Risk assessment
Multi-factor authentication (MFA) implementation
Business continuity and disaster recovery (BCDR)
Governance
CEO/CISO certification
Larger companies (“Class A” companies), with aggregate revenue from New York operations and over $1 billion globally, or 2,000 employees globally, must also:
Complete an annual external audit of cybersecurity program
Use external experts to conduct a risk assessment at least once every three years
Implement an access management password solution and controls to prevent the usage of common passwords for privileged accounts
Implement an end-point detection and response system to monitor for anomalous activity and generate alerts
The regulation also requires a compliance filing, which raises the risk of firms falling short and incurring millions in fines. Companies must also implement new controls, increase the frequency of existing cyber controls, and ensure that their compliance with the regulation is documented.
Least privileged access management solution (section 500.7 on pages 8-9)Encryption (section 500.15 on page 12)
Data retention requirements (section 500.3 on page 5 and section 500.13 on pages 11-12)
Backup and recovery (section 500.16 on pages 13-15)
Register for this exclusive webinar with Salesforce and PwC to explore what the blueprint for SaaS data security looks like in 2023, how to reduce the impact of data breaches, and the importance of ‘zero-trust’ in cloud security.
