New York State’s Department of Financial Services Issues Five New Cybersecurity Amendments

September 28, 2022

By Joseph Nguyen and Austin Jacks

Following an increase in ransomware attacks,[1] the New York State Department of Financial Services (NYS DFS), which oversees regulation for financial services and products totaling over $8.8 trillion, has issued five new amendments to the Part 500 Cybersecurity regulations for Class A companies, financial organizations that have over 2,000 employees or generates over $1 billion in annual revenue.  

These five new amendments, which are expected to go into effect by the end of this year, include the following:

  1. Annual audits of a firm’s cybersecurity program by an independent third party;
  2. An endpoint detection and response (EDR) solution on all computers to support network monitoring and incident response;
  3. Automated scans to detect and correct potential network vulnerabilities;
  4. Formal tests of business continuity and disaster recovery plans that simulate recovery procedures after a technology or operational outage event; and
  5. Notifying impacted parties as soon as possible and within 72 hours if unauthorized data access or ransomware is detected.

The NYS DFS initially put the Part 500 Cybersecurity requirements for financial services companies into effect on March 1, 2017. These regulations place cybersecurity requirements on all covered entities (financial institutions and financial services companies). The Part 500 regulations require New York banks, insurance companies, and other regulated financial services institutions to assess their cybersecurity risk profile. These regulations are designed to help mitigate the continuous threat that is posed to financial institutions by cyber criminals and ensure that their business is fully protected from these attacks.

In light of the updated cybersecurity requirements, financial services firms that are impacted by them are encouraged to leverage an outsourced internal audit and technology risk management team to manage and automate the above mentioned amendments.


(1)Cyber Insurers Hike Rates But Worry About Pricing Long-Term As Losses Mount: Fitch (insurancejournal.com)

Have Questions or Comments?

If you have any questions, we'd like to hear from you.