What's new in the amended New York State Department of Financial Services cybersecurity requirements

November 3, 2023

I'm in New York right now, where the New York State Department of Financial Services (DFS) recently amended their cybersecurity requirements. The updates are effective starting this month (November 2023).

The amendments that stand out:

  • Section 500.4 which was previously headlined "Chief Information Security Officer" is now called "Cyber Governance".
  • Organizations must have an actual CISO (with that title), instead of just a "qualified individual responsible for overseeing and implementing the covered entity’s cybersecurity".
  • The senior governing body (e.g. board of directors) must: (1) understand cybersecurity-related matters to exercise oversight; (2) require executive management to develop, implement and maintain the cybersecurity program; (3) regularly receive and review management reports about cybersecurity matters; and (4) confirm that management has allocated sufficient resources to implement and maintain an effective cybersecurity program.

Some other new requirements of note:

  • Large companies must independently audit their cybersecurity annually.
  • Security policies must be approved at least annually by a senior officer or governing body.
  • The CISO's report to the governing body needs to include plans for remediating material inadequacies.
  • CISOs must report material cyber issues to the senior governing body or officer(s) in a timely manner.
  • Vulnerability management requirements have increased, including the use of automated mechanisms and a way to prioritize and execute remediation based on risk.
  • Privileged access management requirements have increased, including the need for access reviews, automation, and an actual tool.
  • Multi-factor authentication must be enabled on all systems.
  • Organizations must maintain an inventory of assets.
  • Organizations must implement Endpoint Detection and Response.
  • Organizations must centralize logging and event alerting.
  • Organizations must maintain business continuity and disaster recovery plans that include incident response and recovery procedures, which must be tested at least annually.

You can access the full set of regulations and guidance on the NY DFS website.

Ian Yip

Founder/CEO

Latest Posts

April 30, 2024
Navigating the AI Governance Landscape with Avertro
April 25, 2024
How to Effectively Implement AI Governance
April 22, 2024
Why Is AI Governance Important?
April 15, 2024
What is AI Governance?
February 27, 2024
Announcing Support for NIST CSF 2.0 in CyberHQ® less than 12 hours from its release
February 26, 2024
NIST CSF 1.1 vs 2.0 Public Draft vs 2.0 Official Release Circuit Board
April 8, 2024
How Avertro Can Assist With NYDFS Compliance
April 2, 2024
Navigating Compliance: Effective Implementation of the NYDFS Cybersecurity Regulations
March 25, 2024
The Critical Importance of NYDFS Cybersecurity Regulations
March 21, 2024
Understanding NYDFS Cybersecurity Regulations: A Primer for Class A Companies
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
PreferencesDenyAccept