Following up on the recent release by the New York Department of Financial Services (“NYDFS”) of an updated Proposed Second Amendment to its “first-in-the-nation” Cybersecurity Regulation, 23 NYCRR Part 500 (Proposed Second Amendment released June 28, 2023), it is not too late for companies to submit comments on the most recent version of the proposed changes from NYDFS. Comments are due by 5:00 p.m. ET on August 14.
As background, the NYDFS Cybersecurity Regulation took effect in March 2017, including a robust set of cybersecurity requirements as well as a 72-hour incident notification requirement for NYDFS licensees. After releasing an initial draft of a proposed amendment on July 29, 2022, NYDFS released the first version of a Proposed Second Amendment to the regulation in November 2022 with a public comment period that closed on January 9, 2023. The changes proposed in November 2022 included several significant updates to the regulation with respect to:
- Increased cybersecurity governance and board oversight requirements;
- The creation of “classes” of companies subject to different requirements;
- The introduction of new reporting requirements for privileged account compromise, ransomware deployment, and “extortion” payments; and
- The enumeration of factors to be considered in enforcement decisions, among others.
After reviewing the comments received on these proposed changes, NYDFS released an updated version of the Proposed Second Amendment on June 28, 2023 with adjustments made in response to these comments. The revisions reflect adjustments rather than substantial changes to the prior version, and include among other things:
- Clarifying that a CISO must be a “qualified individual” responsible for an entity’s cybersecurity program and policy (Section 500.1(c));
- Narrowing the definition of “privileged accounts” that will be subject to some of the new programmatic and reporting requirements (Section 500.1(m));
- Specifying that newly required annual independent audits of cybersecurity programs for “Class A” companies can be conducted by internal or external auditors that meet certain requirements (Section 500.1(g));
- Clarifying that the board must exercise effective oversight over an entity’s cybersecurity risk management but eliminating the requirement that the board have “sufficient expertise and knowledge” (Section 500.4); and
- Requiring companies to conduct a “root cause analysis” as part of incident response (Section 500.16).
As noted above, the updated version is subject to an additional comment period, and stakeholders may submit comments before 5:00 p.m. ET on August 14, 2023. Comments should be sent by email to email@example.com or by mail to the New York State Department of Financial Services c/o Cybersecurity Division, Attn: Joanne Berman, 1 State Street Plaza, Floor 19, New York, NY, 10004.