Licensees of the New York Department of Financial Services (“DFS”) should be tracking the proposed amendments to the DFS Cybersecurity Regulation. All covered entities under the Regulation will need to revisit their cybersecurity preparedness to satisfy the enhanced regulatory requirements, particularly large entities that meet the definition of “Class A companies” introduced by the proposed amendments. Importantly for many covered entities, the limited exemption for small entities will be expanded to include more entities, and the threshold based on number of employees and independent contractors will be clarified.
Timing
The DFS Cybersecurity Regulation became effective March 1, 2017, with transition periods for various requirements for the next two years. The currently proposed amendments were published November 9, 2022, with the comment period expiring January 9, 2023. Once finalized, the proposed amendments will become effective sometime after the comment period ends, upon publication in the State Register.
Implications for Large Entities
The proposed amendments add the term Class A company to mean:
covered entities with at least $20,000,000 in gross…
