NYDFS Proposed amendments to its Cybersecurity Regulation, “Part 500.” According to DFS, the amendments include:
– Creation of three tiers of companies, further tailoring the regulation to a diverse set of businesses with different defensive needs.
– Enhanced governance requirements, thereby increasing accountability for cybersecurity at the Board and C-Suite levels.
– Additional controls to prevent initial unauthorized access to technology systems and to prevent or mitigate the spread of an attack.
– Requiring more regular risk and vulnerability assessments, as well as more robust incident response, business continuity and disaster recovery planning.
– Directing companies to invest in regular training and cybersecurity awareness programs that are relevant to their business model and personnel.
Under the State Administrative Procedure Act, there is a 60-day Comment period. The proposed amendments can be found here: https://www.dfs.ny.gov/reports_and_publications/press_releases/pr20221109221