On November 1, 2023, Governor Kathy Hochul announced that the
New York State Department of Financial Services
(“NYSDFS”) amended its Part 500 Cybersecurity Regulations for
state-licensed financial institutions.1 The amendments
reflect the first significant change to the Cybersecurity
Regulations since their inception in 2017 and incorporate new
information security compliance obligations for regulated
entities—institutions operating under or required to obtain a
license or similar authorization under New York’s insurance
law, banking law, or financial services law.2 The
Cybersecurity Regulations accordingly apply to health insurance
companies operating in New York, as well as entities that sell
annuities or other insurance products if such institutions receive
a license from NYSDFS.
Perhaps most notably, the amendments expand on NYSDFS’s
72-hour cybersecurity event reporting obligation and incorporate
new 24-hour reporting requirements for regulated entities that make
extortion payments. In addition, all regulated entities will need
to comply with new cybersecurity governance obligations and
additional cybersecurity measures and controls. Further,…