Following up on the recent release by the New York Department of Financial Services (“NYDFS”) of an updated Proposed Second Amendment to its “first-in-the-nation” Cybersecurity Regulation, 23 NYCRR Part 500 (Proposed Second Amendment released June 28, 2023), it is not too late for companies to submit comments on the most recent version of the proposed changes from NYDFS.  Comments are due by 5:00 p.m. ET on August 14.

As background, the NYDFS Cybersecurity Regulation took effect in March 2017, including a robust set of cybersecurity requirements as well as a 72-hour incident notification requirement for NYDFS licensees.  After releasing an initial draft of a proposed amendment on July 29, 2022, NYDFS released the first version of a Proposed Second Amendment to the regulation in November 2022 with a public comment period that closed on January 9, 2023.  The changes proposed in November 2022 included several significant updates to the regulation with respect to:

  • Increased cybersecurity governance and board oversight requirements;
  • The creation of “classes” of companies subject to different requirements;
  • The introduction of new reporting requirements for privileged account compromise, ransomware deployment, and “extortion” payments; and
  • The enumeration of factors to be considered in enforcement decisions, among others. 

After reviewing the comments received on these proposed changes, NYDFS released an updated version of the Proposed Second Amendment on June 28, 2023 with adjustments made in response to these comments.  The revisions reflect adjustments rather than substantial changes to the prior version, and include among other things: 

  • Clarifying that a CISO must be a “qualified individual” responsible for an entity’s cybersecurity program and policy (Section 500.1(c));
  • Narrowing the definition of “privileged accounts” that will be subject to some of the new programmatic and reporting requirements (Section 500.1(m));
  • Specifying that  newly required annual independent audits of cybersecurity programs for “Class A” companies can be conducted by internal or external auditors that meet certain requirements (Section 500.1(g));
  • Clarifying that the board must exercise effective oversight over an entity’s cybersecurity risk management but eliminating the requirement that the board have “sufficient expertise and knowledge” (Section 500.4); and
  • Requiring companies to conduct a “root cause analysis” as part of incident response (Section 500.16).

As noted above, the updated version is subject to an additional comment period, and stakeholders may submit comments before 5:00 p.m. ET on August 14, 2023.  Comments should be sent by email to cyberamendment@dfs.ny.gov or by mail to the New York State Department of Financial Services c/o Cybersecurity Division, Attn: Joanne Berman, 1 State Street Plaza, Floor 19, New York, NY, 10004.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Micaela McMurrough Micaela McMurrough

Micaela McMurrough serves as co-chair of Covington’s global and multi-disciplinary Technology Group, as co-chair of the Artificial Intelligence and Internet of Things (IoT) initiative. In her practice, she has represented clients in high-stakes antitrust, patent, trade secrets, contract, and securities litigation, and other…

Micaela McMurrough serves as co-chair of Covington’s global and multi-disciplinary Technology Group, as co-chair of the Artificial Intelligence and Internet of Things (IoT) initiative. In her practice, she has represented clients in high-stakes antitrust, patent, trade secrets, contract, and securities litigation, and other complex commercial litigation matters, and she regularly represents and advises domestic and international clients on cybersecurity and data privacy issues, including cybersecurity investigations and cyber incident response. Micaela has advised clients on data breaches and other network intrusions, conducted cybersecurity investigations, and advised clients regarding evolving cybersecurity regulations and cybersecurity norms in the context of international law.

In 2016, Micaela was selected as one of thirteen Madison Policy Forum Military-Business Cybersecurity Fellows. She regularly engages with government, military, and business leaders in the cybersecurity industry in an effort to develop national strategies for complex cyber issues and policy challenges. Micaela previously served as a United States Presidential Leadership Scholar, principally responsible for launching a program to familiarize federal judges with various aspects of the U.S. national security structure and national intelligence community.

Prior to her legal career, Micaela served in the Military Intelligence Branch of the United States Army. She served as Intelligence Officer of a 1,200-member maneuver unit conducting combat operations in Afghanistan and was awarded the Bronze Star.

Photo of Caleb Skeath Caleb Skeath

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

Caleb specializes in assisting…

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

Caleb specializes in assisting clients in responding to a wide variety of cybersecurity incidents, ranging from advanced persistent threats to theft or misuse of personal information or attacks utilizing destructive malware. Such assistance may include protecting the response to, and investigation of an incident under the attorney-client privilege, supervising response or investigation activities and interfacing with IT or information security personnel, and advising on engagement with internal stakeholders, vendors, and other third parties to maximize privilege protections, including the negotiation of appropriate contractual terms. Caleb has also advised numerous clients on assessing post-incident notification obligations under applicable state and federal law, developing communications strategies for internal and external stakeholders, and assessing and protecting against potential litigation or regulatory risk following an incident. In addition, he has advised several clients on responding to post-incident regulatory inquiries, including inquiries from the Federal Trade Commission and state Attorneys General.

In addition to advising clients following cybersecurity incidents, Caleb also assists clients with pre-incident cybersecurity compliance and preparation activities. He reviews and drafts cybersecurity policies and procedures on behalf of clients, including drafting incident response plans and advising on training and tabletop exercises for such plans. Caleb also routinely advises clients on compliance with cybersecurity guidance and best practices, including “reasonable” security practices.

Caleb also maintains an active privacy practice, focusing on advising technology, education, financial, and other clients on compliance with generally applicable and sector-specific federal and state privacy laws, including FERPA, FCRA, GLBA, TCPA, and COPPA. He has assisted clients in drafting and reviewing privacy policies and terms of service, designing products and services to comply with applicable privacy laws while maximizing utility and user experience, and drafting and reviewing contracts or other agreements for potential privacy issues.

Photo of Rachel Sang Rachel Sang

Rachel Sang is a litigation associate in the New York office and member of the Data Privacy and Cybersecurity Practice Group. She advises clients on a broad range of technology and cybersecurity matters, including internal investigations, regulatory inquiries, litigation, and cybersecurity incident response.