DFS 500 Second Amendment Implementation Dates

Today I attended a presentation by the superintendant and deputy superintendent of New York State Department of Financial Services. A lot of infomration was provided and we intend on making multiple posts based on the infromation we learned.

As a first step, here are the implementation dates provided by DFS. In general this is for “standard” non-exempt organizations. Where possible we will outline requirements for covered entitites with limited exemptions.

December 1, 2023

  • New reporting requirements, particularly around ransomware payments

    • Payments must be reported within 24 hours

    • Covered entities have 30 days to explain the reason for the payment, the decision making process, and impacts on other regulations such as the Office of Foreign Asset Controls

    • Third-party breaches must be reported

    • If a covered entity reports an incident to any governmental agency, even outside New York, DFS must also be notified

April 15, 2024

  • The CISO must sign any complaince attestaions. If the CISO is outsourced, the senior officer responsible for supervising the CISO must attest instead

April 29, 2024

  • Internal and External Penetration Testing must be completed annually or after major systems changes

  • Covered Entitites must have a “monitoring process in place to promptly inform of new security vulnerabilities”

  • Covered Entities must place a priority on remediation of vulnerabilities and do so in a timely manner

  • Risk Assessment requires expand and must be updated annually

  • Policies must be expanded and updated annually

  • Cybersecurity training must be provided to all employees at least annually to also include social engineering training (i.e. phishing training)

November 1, 2024

  • Limited exemption covered entities must:

    • Implement Multi-Factor Authentication (MFA) on:

      • All remote access

      • All external third-party systems

      • privileged accounts

    • Provide security awareness training to all employees at least annually (it should be noted there is no requirement for social engineering training)

  • Increased encryption requirements

    • Encryption policies

    • Must consider all forms of encryption, not just encryption across an external network

    • CISO can approve reasonable compensating controls

  • CISO must

    • Report to the board on any material inadequecies of the cybersecurity program

    • Report any material cybersecurity issues to the board

  • The board must:

    • “excercise oversight of the risk management program”

    • Must have sufficient understanding of cybersecurity or be advised by professionals that do

  • Incident Response Plans must be updated, reviewed and tested

  • Business Continuity and Disaster Recovery (BCDR) plans must be updated and reviewed annually

    • Employees must be trained on BCDR procedures

  • The covered entity must maintain backups and test the restoration of critical data and systems

May 1, 2025

  • Limit access privileges using “Role Based Access Controls” and the “Principle of Least Privileges”

  • Prompty deactive inactive accounts, including those of employees who seperate from the company

  • Disable unneccesary services and protocols

  • Implement a password policy based on “industry best practices”

  • Conduct automated vulnerability scans “at the frequency determined by the risk assessment”

  • Protect again malicious code, including anti-malware on all systems, web filtering, and email filtering

November 1, 2025

  • For “standard” non-exempt organizations implement MFA for all individuals on all systems

    • It should be noted this requirement does not mention anything about whether or not the system can access Non-Public Information (NPI)

    • The CISO can approve compensating controls that provide equievelant or superior protection

  • Implement an Assess Managament/Inventory system