Effective November 1, 2023, the New York State Department of Financial Services adopted amendments to its cybersecurity regulation, 23 NYCRR Part 500. The purpose of these amendments is to better align with the current industry best practices. The initial updates will take effect on December 1, 2023, while the policy and procedure updates will not take effect until April 2024.
Below, we’ve identified the seven biggest takeaways that will impact your organization based on the changes in the law and we will provide a full breakdown of these changes in a new insight coming soon:
- Annual penetration testing must be completed “from both inside and outside the information systems boundaries.” This is defined as two different assessments: an internal penetration test and an external penetration test.
- Institutions must have a risk-based timeline to remediate identified vulnerabilities.
- At a minimum ALL user access privileges in the environment must be reviewed for appropriateness.
- Institutions must implement a privileged access management solution and automated method to block commonly used passwords. Management must also make sure that a password standard is documented in the policy.
- Multi-factor authentication (MFA) is required for ALL user accounts accessing any information systems. The amendment specifically notes that MFA must be implemented for all remote access and privileged accounts.
- In addition to documenting a defined frequency for how often an asset inventory update is required, there is now a minimum criterion for what attributes must be captured in an asset inventory:
- Owner
- Location
- Classification
- Support expiration date
- Recovery time objective (RTO)
- The business continuity management plan should now consider incident response principles, such as protecting against a cybersecurity-related disruption to its normal business activities. This includes communication, timely recovery, and procedures for backing up and copying data.
In addition to the above requirements, there are business continuity and Chief Information Security Officer (CISO) role best practices that should be considered. If your organization is not currently utilizing a CISO, consider taking advantage of a virtual CISO (vCISO) — Wolf’s expert vCISO team can help you bridge the gap between regulatory obligations and business objectives.
Institutions affected by these amendments should work towards implementing these takeaways as soon as possible and integrate additional policy updates before April 15, 2024.
Wolf has experience with a significant amount of New York state institutions that are required to comply with NYDFS. If you need assistance, reach out to a member of our IT Audit team to discuss full reviews and gap assessments.
