Nydfs Proposed Amendments To Its Cybersecurity Rules – Jd Supra

NYDFS Proposed Amendments to Its Cybersecurity Rules – JD Supra

On July 29, the New York Department of Financial Services (NYDFS) released Draft Amendments to its Part 500 Cybersecurity Rules that include a number of significant amendments to the rules, including notification requirements such as a mandatory 24-hour notification for cyber ransom payments, specific requirements for newly defined larger entities, increased expectations for oversight of cybersecurity risk, additional requirements for incident response plans (IRPs), business continuity and training, risk assessments, and new technical requirements. The Draft Amendments can be found here. The 10-day pre-proposal comment period would have ended today, Aug. 8, 2022, but NYDFS has extended the comment period for an additional 10 days, with a new deadline of Aug. 18, 2022. The official proposed amendments will be published following the comment period.
NYDFS Cybersecurity Event Notifications
The Draft Amendments create several new notification requirements:
Class A Companies
The Draft Amendments create a new category of “Class A” companies, which are covered entities with over 2,000 employees or over $1 billion in gross annual revenues averaged over the past three years from all business operations of the company and its affiliates. Class A companies are subject to several additional cybersecurity obligations, including the following:
The Draft Amendments provide several additions to the Part 500 governance requirements:
Risk Assessments
The Draft Amendments make several changes to the risk assessment requirements in Part 500, including:
Incident Response Plans, Business Continuity and Training
The Draft Amendments make changes to the existing requirement for covered entities to have an IRP. The Draft Amendments would require that covered entities have written plans that include proactive measures to mitigate disruptive events and ensure operational resilience.
The Draft Amendments also add several new technology requirements, including:
The current version of the Cybersecurity Rules permitted a CISO to approve in writing the use of reasonably equivalent alternative controls for external access to a covered entity’s internal network. The Draft Amendments would remove this discretion and require MFA for all remote access to the network as well as for enterprise and third-party applications from which nonpublic information is accessible.
[View source.]
See more »
DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.
© BakerHostetler | Attorney Advertising
Refine your interests »
This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.
Back to Top
Explore 2022 Readers’ Choice Awards
Copyright © JD Supra, LLC


Leave a Comment

Leave a Reply

Your email address will not be published.

Various Types of Cyber Security Attacks and Threats – CIOReview

Jet2 urges Stansted passengers to avoid Covid cyber security scams – Herts Live

Voyager Announces Coinify Sale – Yahoo Finance

Northern Michigan University Makes First Cyber Security Symposium Free to the Public – keweenawreport.com