On Nov. 9, 2022, the New York Department of Financial Services (NYDFS) issued a proposed second amendment to its 2017 cybersecurity regulation for financial service companies.[1] In July 2022, NYDFS issued a draft version of the changes, but the current amendment has significant changes. Most of the proposed changes will take effect 180 days after final regulation adoption, likely soon after the comment period closes on Jan. 9, 2023, making most new regulations effective after July 8, 2023.[2]
Go-To Guide:
-
Detailed requirements of NYDFS’ proposed amendments to the cybersecurity regulation;
-
Heightened requirements for larger financial services companies (“Class A Companies”);
-
Changes to limited exemptions.
***
The proposed amendments move beyond administrative and technical safeguards to granular regulations on cybersecurity governance and risk management. Additionally, NYDFS places stricter requirements, detailed below, on larger financial services companies, “Class A Companies.” Class A Companies are those with greater than or equal to $20 million in New York gross annual revenue in the last two fiscal years, and either: greater than 2,000 employees…