NY Department of Financial Services Proposes Amendments to Cybersecurity Requirements for Financial Services Companies
By Alan S. Wernick, Esq., Aronberg Goldgehn
The New York Department of Financial Services (“DFS”) “Cybersecurity Requirements for Financial Services Companies” (“CRFSC”) (23 NYCRR 500) (“Part 500”), effective March 1, 2017, are set for an update in early 2023. In November 2022 DFS announced its proposed amended regulations to Part 500 (see, “DFS Superintendent Adrienne A. Harris Announces Updated Cybersecurity Regulation” available at https://on.ny.gov/3I2warw). DFS Superintendent Harris is quoted as saying, “With cyber-attacks on the rise, it is critical that our regulation keeps pace with new threats and technology purpose-built to steal data or inflict harm. Cyber criminals go after all types of companies, big and small, across industries, which is why all of our regulated entities must comply with these standards – whether a bank, virtual currency company, or a health insurance company.”
Some of the Part 500 proposed amendments include:
- Enhanced accountability and corporate governance requirements for boards of directors and C-suite executives.
- Increased requirements for businesses to invest in periodic (but at a minimum annual) cybersecurity awareness and training (including social engineering exercises).
- A requirement to develop and implement written policies and procedures for vulnerability management that are designed to assess the effectiveness of the covered entity’s cybersecurity program.
- Clarifications concerning use of unauthorized access controls including multi-factor authentication.
When the comment period ends in early 2023, DFS will review received comments and either propose a revised version or adopt the final regulation as amended. Businesses and their privacy/cybersecurity law counsel should review the proposed Part 500 amendments to determine their impact on businesses’ risk surface.
© 2022 Alan S. Wernick and Aronberg Goldgehn.