On July 29, the New York Department of Financial Services (NYDFS) released Draft Amendments to its Part 500 Cybersecurity Rules that would impose new obligations on financial institutions on reporting, governance, testing, access management, risk assessment, business continuity plans, among others.

If adopted, the new rules would require financial institutions to:

  • notify NYDFS within 72 hours of any unauthorized access to privileged accounts or detection of ransomware affecting a material part of its information system;
  • update risk assessment and obtain approval of its cybersecurity policy from its board of directors or senior governing body at least annually;
  • require its board to have sufficient expertise and knowledge, or be advised by persons with such expertise and knowledge, to exercise effective oversight of cyber risk and its cybersecurity personnel;
  • provide adequate independence and risk management authority to its chief information security officer, or CISO;
  • ensure timely reporting by the CISO to its senior governing body of material cybersecurity issues; and
  • utilize multi-factor authentication for all privileged accounts, except service accounts, and remote access to nonpublic information.

Putting It Into Practice: Financial institutions subject to the NYDFS regulations should continue to monitor the proposed rulemaking, which, if approved, would impose significant obligations on covered entities. Companies should also begin to evaluate the extent to which their cyber programs are compliant with these new requirements. After the proposed rules go into effect, covered entities will have 180 days to ensure compliance.