The New York Department of Financial Services (NYDFS) published its proposed amendment to its 23 NYCRR Part 500 (Cybersecurity Rules) on November 9, 2022, following the release of the draft version on July 29, 2022.
The proposed amendments complement the efforts of the US government to further regulate cybersecurity practices pursuant to the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). If adopted, the proposed amendment, among other things, establishes “Class A” companies, and requires covered entities (i.e., insurance companies, banks and other financial institutions regulated by the NYDFS) to, within 180 days, review their existing policies and procedures and ensure compliance with all applicable requirements of the Cybersecurity Rules.
Some of the key changes proposed by the amendment are highlighted below.
Requirements for Class A Companies
The proposed amendment describes “Class A” companies as covered entities with at least $20,000,000 in gross annual revenue from the entity’s (and its affiliates) business operations in New York and, either (1) over 2,000 employees; or (2) over $1,000,000,000 in gross annual revenue, in each…
