What's new in the amended New York State Department of Financial Services cybersecurity requirements

November 3, 2023

I'm in New York right now, where the New York State Department of Financial Services (DFS) recently amended their cybersecurity requirements. The updates are effective starting this month (November 2023).

The amendments that stand out:

  • Section 500.4 which was previously headlined "Chief Information Security Officer" is now called "Cyber Governance".
  • Organizations must have an actual CISO (with that title), instead of just a "qualified individual responsible for overseeing and implementing the covered entity’s cybersecurity".
  • The senior governing body (e.g. board of directors) must: (1) understand cybersecurity-related matters to exercise oversight; (2) require executive management to develop, implement and maintain the cybersecurity program; (3) regularly receive and review management reports about cybersecurity matters; and (4) confirm that management has allocated sufficient resources to implement and maintain an effective cybersecurity program.

Some other new requirements of note:

  • Large companies must independently audit their cybersecurity annually.
  • Security policies must be approved at least annually by a senior officer or governing body.
  • The CISO's report to the governing body needs to include plans for remediating material inadequacies.
  • CISOs must report material cyber issues to the senior governing body or officer(s) in a timely manner.
  • Vulnerability management requirements have increased, including the use of automated mechanisms and a way to prioritize and execute remediation based on risk.
  • Privileged access management requirements have increased, including the need for access reviews, automation, and an actual tool.
  • Multi-factor authentication must be enabled on all systems.
  • Organizations must maintain an inventory of assets.
  • Organizations must implement Endpoint Detection and Response.
  • Organizations must centralize logging and event alerting.
  • Organizations must maintain business continuity and disaster recovery plans that include incident response and recovery procedures, which must be tested at least annually.

You can access the full set of regulations and guidance on the NY DFS website.

Ian Yip

By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.