Entities

New York (10)
Topics and Issues

Cybersecurity (7)

In July 2022, the New York Department of Financial Services (DFS) issued proposed rulemaking, a second amendment to 23 NYCRR 500, Cybersecurity Requirements for Financial Services Companies. CDIA filed a comment in connection with this initial rulemaking. CDIA made the following points in the comment:

In short, the pre-proposed amendments raise more than a few initial questions and concerns, not least of which is the propriety of imposing potentially new cybersecurity requirements on businesses at a time when many are actively assessing and revising their cybersecurity programs for compliance with new Federal Trade Commission (FTC) Safeguards Rule requirements, which may or may not overlap with DFS’s pre-proposals. Should DFS decide to move forward, we urge the agency to afford sufficient process and time for formal comment and review as well as implementation should any amendments ultimately become effective.

According to a Debevoise & Plimpton analysis, the proposal includes “a mandatory 24-hour notification for cyber ransom payments, annual independent cybersecurity audits for larger entities, increased expectations for board expertise, and tough new restrictions on privileged accounts.”  The analysis continues:

The proposal would create a category of “Class A” companies, which are covered entities with over 2,000 employees or over $1 billion in gross annual revenues averaged over the last three years from all business operations of the company and its affiliates. Class A companies are subject to several additional cybersecurity obligations, including [audits, vulnerability assessments, password controls, and monitoring].

There are a number of proposed governance changes, risk assessments, notices, disclosures, and penalties.

On November 9, 2022, the proposed second amendment to 23 NYCRR Part 500 (DFS Cybersecurity Regulation) was published in the New York State Register. CDIA filed a comment on this proposal. The comment made three points: (1) DFS should reconsider imposing additional cybersecurity requirements on financial institutions that have recently been in the process of rebuilding their information security programs; (2) DFS should address specific areas of textual vagueness; and (3) The regulation should permit independent audits by employed internal audit teams.

Resources: