On July 29, 2022, the New York Department of Financial Services (“NYDFS”) released Draft Amendments to its Cybersecurity Rules.
The Draft Amendments focuses on Part 500 of the Rules and propose, amongst other things, to :
Amend certain definitions, notably by expanding the definition of covered entities to include Class A companies (i.e companies with over 2000 employees or over $1 billion in gross annual revenue average over the last three fiscal years from all business operations of the covered entity and all of its affiliates).
Compel covered entities to ensure that their cybersecurity programs take into account nonpublic information stored on their information systems.
Require Class A companies to conduct an independent audit of their cybersecurity programs at least annually.
Strengthen the requirements applicable to company governing bodies that must implement and maintain written policies on various aspects (e.g. information security, data governance and classification, asset inventory and device management, systems operations and availability concerns, systems and network security...).
Require each Chief Information Security Officer ((CISO) to have adequate independence and authority to ensure cybersecurity risks are appropriately managed. The CISO must establish written reports addressing issues such as the confidentiality of nonpublic information and the integrity and security of the covered entity’s information systems; the covered entity’s cybersecurity policies and procedures. The CISO mandate also includes the timely reporting of material cybersecurity issues to the senior governing body.
Require covered entities to conduct penetration testing of their information systems through a qualified independent party.
Require each covered entity to notify the superintendent electronically in the form set forth on the department’s website as promptly as possible but in no event later than 72 hours from a determination that a cybersecurity event has occurred.
Compel covered entities to include written encryption policy and written incident plans in their cybersecurity compliance programs.
The NYDFS Cybersecurity Regulation or 23 NYCRR 500 includes a set of requirements applicable to financial institutions and financial services companies that came into effect in March 2019.