On November 1, 2023, the New York Department of Financial Services (NY DFS) published its highly anticipated final amendments to its influential cybersecurity requirements for financial services companies (Part 500). These amendments significantly alter New York’s cybersecurity standards, with some changes effective and enforceable immediately. Importantly, the amendments alter the current regulatory regime to: (1) require greater senior officer and board responsibility for cybersecurity; (2) expand the incidents that are reportable within 72 hours; (3) enshrine and expand long-time regulatory expectations like multifactor authentication and encryption; and (4) revamp the annual certification process to allow either a certification of material compliance or written acknowledgment of material non-compliance, closing a bedeviling catch-22.
- Applicability & Class A Companies
While NY DFS’s cybersecurity requirements for financial services companies continue to apply to all NY DFS-licensed persons, the amendments define a new class of covered entities that are subject to heightened requirements under the regulations. These Class A companies have at least $20,000,000 in…
