The New York State Department of Financial Services (NYDFS) adopted comprehensive amendments to its cybersecurity regulations (known as Part 500) on Nov. 1. The draft amendments were first published in July 2022 and finalized after three rounds of public comment. The amendments take effect on Dec. 1, 2023, with “transitional periods” of up to 24 months from the date of publication for covered entities to comply with certain provisions.[1]
Heightened Requirements for ‘Class A Companies’
One of the biggest changes to Part 500 is the creation of a new class of covered entity called “Class A Companies.” A “covered entity” under the NYDFS is any person, partnership, or other entity operating or required to operate under a license, registration, charter, permit, or similar authorization under New York’s Banking Law, Insurance Law, or Financial Services Law, regardless of whether the covered entity is also regulated by other government agencies.
Under the amendments, “Class A Companies” are defined as covered entities that have over $20 million in gross annual revenue in each of the past two years from business operations in New York and either (1) have over…
