The New York Department of Financial Services (“NYDFS”) has released the Second Amendment to the Cybersecurity Requirements for Financial Services Firms (“Part 500”). Factor authentication for remote access to systems. The 60-day public comment period for proposed amendments will end on January 9, 2023. Covered entities should review the proposed amendments thoroughly and consider submitting comments by the deadline. The newly proposed amendment follows his NYDFS pre-proposal outreach from earlier this year.
The most significant of the proposed changes is the creation of a separate category of regulated entities known as “Class A firms.” Previously, Part 500 regulations applied uniformly to all non-exempt entities operating under a license, registration, or authorization under the Banking, Insurance, or Financial Services Act of New York. The proposed amendments would include a series of rules for Class A Corporations, defined as entities that have gross annual revenues of at least $20 million or more in each of the past two fiscal years from operations in New York and are either: Includes enhanced requirements for Average number of employees (including affiliated company employees) for the last two fiscal years. or (2) more than $1 billion in annual gross revenues (including income from affiliates) from all business operations, wherever located, in the last two fiscal years.
Enhanced requirements that apply specifically to Class A companies include:
- at least, Annual independent audit of cyber security systems;
- Weak or commonly used blocking password All accounts using company systems (or implementing similar systems with alternative controls);
- hire an outside expert Cybersecurity risk assessment at least once every three years.
- implementation of Endpoint detection and response solution To monitor unusual cybersecurity-related activity, including lateral movement.When
- Implement centralized system For logging and alerting security events.
Additional suggested changes found in the proposed amendments include implementing a monitoring process to ensure prompt notification of new security vulnerabilities, maintaining written policies and procedures for vulnerability management, and implementing automated vulnerability management. Includes annual penetration testing obligations and requirements related to conducting scans, reviewing and updating annual risk assessments.
Importantly, covered entities must utilize multi-factor authentication for anyone with remote access to any of the entity’s information systems or third-party applications. This includes, but is not limited to, cloud-based applications that make non-public information available. So-called “privileged accounts” (accounts that perform security-related functions that ordinary users are not authorized to perform, or accounts that may materially alter the technical or business operations of the covered entity) also You should use multi-factor authentication.
Finally, the proposed amendment also defines three new security events that must be reported to NYDFS within 72 hours.
- unauthorized access to privileged accounts;
- introduce ransomware into a critical part of the Covered Entity’s systems; and
- Cybersecurity events affecting third-party service providers that also affect the Covered Entity.
After the Final Amendment is published, it will become effective when the notice of adoption is posted on the New York State Register, but subject entities will have 30 days to comply with most of the updated provisions. There is a transition period ranging from 1 to 2 years. .