On November 9, 2022, the New York Department of Financial
Services (the “NYDFS”) announced the publication of the official proposed amendments to its 2017 Cybersecurity Regulation 23 NYCRR 500
(the “Proposed Amendments”). The 60-day public comment
period to the Proposed Amendments ends on January 9, 2023. We
provided our initial thoughts on the Proposed Amendments in a blog post, and then held a webcast on November 18, 2022, during which
we received several questions that we did not have time to answer.
Below are those questions, along with answers that illustrate some
of the remaining ambiguities that the Proposed Amendments present,
which hopefully will be resolved during the comment process.
Question #1: Are affiliates of covered entities, which are not
themselves covered entities, subject to the new requirements set
forth in the Proposed Amendments?
Technically, no. Practically, maybe. We
received several versions of this question. By their terms, the
Proposed Amendments do not draw in affiliates of covered entities.
But as more cybersecurity requirements are placed on covered
entities, they are more likely to rely on outside assistance for
compliance. To…
