Proposed Changes to NYDFS: What You Should Know 

Updated on September 23, 2022 by Ian Terry

Share this article!

Five years ago, the New York Department of Financial Services new Cybersecurity Regulation went into effect. The NYDFS Cybersecurity regulations were a big development because, at the time, it was the first comprehensive regulation of its kind in the United States.  

New York is the first state in the nation to successfully pass and implement a statewide Cybersecurity Regulation. The regulation was designed to protect New Yorkers—and consumers in general—from the growing threat of cyberattacks and help safeguard organizations operating in the financial services industry from data breaches. 

Recently, at the end of July 2022, the NYDFS released draft amendments to Part 500 of the 23 NYCRR also known as the ‘Cybersecurity Regulation’.  

Related article: the Development of the New York State DFS Cybersecurity Regulation. 

What Changes Are Expected to the NYDFS Cybersecurity Regulations? 

The new regulations would compel financial firms to: 

• Notify the NYDFS of any illegal access to privileged information or the discovery of ransomware affecting a significant portion of its information system within 72 hours; 
• Update its cybersecurity and update risk assessment policy and present updates to its board of directors or senior governing body at least once every year 
• Require the board to exert adequate control over cyber risk and its cybersecurity staff, or to get advice from outside experts with the necessary skills and knowledge; 
• Utilize multi-factor authentication for all privileged accounts and remote access to non-public information. Assure that the organization’s chief information security officer, or CISO, has enough independence and risk management authority. 

How Does this Effect Companies Subject to NYDFS Cybersecurity Regulations? 

The NYDFS Cybersecurity Regulations still apply to all types of credit unions, health insurers, investment companies, licensed vendors, life insurance companies, mortage brokers, savings and loan associations, private bankers, offices of foreign banks, and commercial banks operating in the state of New York. These financial institutions are likely already required to comply with regulations such as PCI DSS or SANS CSC 20.

Financial institutions subject to NYDFS cybersecurity regulations should make an effort to stay updated on the proposed changes. If adopted, these changes would mark a significant increase in targeted compliance measures for covered entities. In the meantime, as we await a final decision regarding the proposed update, businesses should start assessing how well their cybersecurity programs adhere to the new requirements. If, and when, the changes go into effect, they will have 180 days to make sure they are in compliance with the new standards. 

Find out more about AWA’s comprehensive NYDFS Cybersecurity Compliance services. 

About The Author

Ian Terry

Ian has 7 years in the Information Technology field with 4 years in Cybersecurity, Compliance, and IT auditing. He has performed numerous risk assessments and audits related to NIST, HIPAA, HITRUST, FISMA, PCI, and CMSR. He is also an expert in third-party risk management having built a SaaS security platform for streamlining third-party risk assessments. Ian's cybersecurity writings have been published in Hackernoon, Security Boulevard and CISO Mag. He holds a B.S. in Cybersecurity from a national center of academic excellence in cybersecurity as recognized by the NSA and DHS and has CSM, HCISPP, and SSCP certifications.