Micaela McMurrough and Caleb Skeath of Covington & Burling write:
Following up on the recent release by the New York Department of Financial Services (“NYDFS”) of an updated proposed second amendment to its “first-in-the-nation” Cybersecurity Regulation, 23 NYCRR Part 500 (proposed second amendment released June 28, 2023), it is not too late for companies to submit comments on the most recent version of the proposed changes from NYDFS. Comments are due by 5:00 p.m. ET on August 14.
As background, the NYDFS Cybersecurity Regulation took effect in March 2017, including a robust set of cybersecurity requirements as well as a 72-hour incident notification requirement for NYDFS licensees. After amending the regulation on July 29, 2022, NYDFS released the first draft of a proposed second amendment to the regulation in November 2022 with a public comment period that closed on January 9, 2023. The changes proposed in November 2022 included several significant updates to the regulation with respect to:
- Increased cybersecurity governance and board oversight requirements;
- The creation of “classes” of companies subject to different requirements;
- The introduction of new reporting requirements for privileged account compromise, ransomware deployment, and “extortion” payments; and
- The enumeration of factors to be considered in enforcement decisions, among others.
After reviewing the comments received on these proposed changes, NYDFS released an updated version of the proposed changes on June 28, 2023 with adjustments made in response to these comments.
Read more about the proposed amendment at Inside Privacy.