New York recently announced amendments to the State Department of Financial Services’ cybersecurity regulations. The changes further solidify the state’s already comprehensive cybersecurity regulatory regime. The amendments were both announced by Gov. Hochul and became effective on November 1, 2023. They apply to DFS regulated entities and aim to strengthen provisions around cyber governance, risk mitigation, incident notification, and training.
New obligations under the amendments include:
- Senior leadership is now explicitly required to exercise oversight of an entity’s cybersecurity risk management.
- CISOs must make timely reports to an entity’s senior leadership on material cybersecurity issues, including on cybersecurity events and changes to the entity’s cybersecurity program.
- Previously required cybersecurity risk assessments must now be conducted annually, or whenever there is a material change to the covered entity’s cyber risk.
- Entities must now conduct annual cybersecurity awareness training that includes training on how to address social engineering.
- Incident response plans must now include business continuity and disaster…
