• Mail
  • LinkedIn
  • Twitter
Hire Us
Law and Forensics
  • Home
  • Products
  • Services
    • Cybersecurity Services Group
      • Assessments
      • Automotive Industry
      • Board Consulting
      • Data Governance
      • Defense Industrial Base
      • Due Diligence
      • Financial Institutions
      • Incident Response
      • Pension and Plan Sponsors
      • Privacy
      • Tabletops
    • eDiscovery Services Group
      • Consulting
      • Data Preservation
      • Expert Witness
      • Training Practice
    • Forensic Services Group
      • Cloud Computing
      • Consulting
      • Expert Testimony
      • Internet of Things
      • Investigations
      • Mobile Device
      • Dispute Resolution Services
      • Social Media
      • Server Forensics
    • Digital Banking Services Group
      • Assessments
      • Blockchain
      • Cryptocurrency
      • CSO and CRO Advisory
      • Expert Witness
      • Regulatory Compliance
      • Strategy
      • Training
  • Insights
  • About Us
  • Search
  • Menu Menu
  • New York Department of Financial Services Proposed Amendments to Cybersecurity Regulation: What it Means for Covered Entities

    INSIGHTS

New York Department of Financial Services Proposed Amendments to Cybersecurity Regulation: What it Means for Covered Entities

December 14, 2022

By Daniel B. Garrie

Proposed Amendments to Cybersecurity Regulation

On November 9, 2022, the New York Department of Financial Services (NYDFS) issued a proposed second amendment to its 2017 Cybersecurity Regulation 23 NYCRR 500 (“Proposed Amendments”). The publication of these Proposed Amendments comes in the wake of a buzz-worthy pre-proposal comment period, where the NYDFS considered the comments received in response to the pre-proposed amendments. The 60-day public comment period for the Proposed Amendments will end on January 9, 2023. These amendments create a new subset of covered entities subject to further requirements. Moreover, they set new cybersecurity obligations regarding incident reporting times, governance, and technical and organizational needs. This post discusses some of the more significant changes identified in the Proposed Amendments that will impose additional requirements on the new category of covered entities.

The Proposed Amendments would have a new category of “Class A companies,” described as covered entities with $20 million or more in gross annual revenue in the prior two (2) fiscal years from business operations (including the covered entity and its affiliates) in New York, and either:  (i) over 2,000 employees averaged over the past two (2) fiscal years (this includes those of both the covered entity and its affiliates despite the location); or (ii) more than $1 billion in gross annual revenue in each of the previous two (2) fiscal years from all business operations of the covered entity and its affiliates. This new category class will face cybersecurity requirements beyond those customarily imposed on covered entities.

Two critical new requirements include independent audits and risk assessments. Entities under “Class A” must undertake independent audits of their cybersecurity programs, conducted by external auditors “free to make decisions not influenced by” the covered entity. There is a distinct difference between this “independent audit” and the “independent audit” discussed in the pre-proposed amendments. An internal and external auditor would have been allowed to conduct an “independent audit” under the pre-proposed amendments.

In addition, covered entities must review and update their risk assessment annually. They must use external experts to conduct their risk assessment at least once every three (3) years. Currently, covered entities only need to conduct risk assessments “periodically” and “as reasonably necessary to address changes to the covered entity’s information systems, nonpublic information, or business operations.” Further, “whenever a change in the business or technology causes a material change to the covered entity’s cyber risk, Class A companies would be required to change to the covered entity’s cyber risk.”

The Proposed Amendments also have new incident reporting provisions. Each covered entity must provide NYDFS with the requested information about the investigation of a notified cybersecurity incident in a standard electronic form. This reporting has a 90-day response period for the investigative findings [500.17(a)(2)]. Covered entities must also report third-party cybersecurity incidents on a 72-hour notification deadline, beginning from the time the covered entity is aware of the event [500.17(a)(3)].

The Proposed Amendments introduce additional requirements for Chief Information Security Officers (“CISOs”) and board members. In this regard, New York continues demonstrating to companies that corporate governance is essential. The Proposed Amendments remove the CISO independence requirement covered in the pre-proposed amendment. However, the Proposed Amendments require the CISO to have the ability to direct sufficient resources to implement and maintain a cybersecurity program. In particular, a corporate board must incorporate the following factors: significant cyber risk expertise and knowledge for effective oversight, approval of a company’s security policies, procedures, and risk assessment, receiving briefings from the CISO at least annually, and review any material issues that arise from vulnerability assessments & pen tests. Despite the CISO and board members having individual requirements, a company’s senior management and leaders must also be proactive. The CEO and CISO must co-sign an annual attestation of security compliance. While the CEO and senior officers must participate in incident response plan testing, the latter must be present during business continuity plan testing.

In light of the new Proposed Amendments, there are a few points covered entities may want to note regarding the impact on their business. If they are adopted, covered entities and NYDFS-regulated entities should consider taking the following steps in preparation for compliance:

  1. Conducting tabletop exercises. These tabletops will ensure that the employees under a covered entity are well-trained in their roles and responsibilities in mitigating harm in the event of an incident.
  2. Establish whether your entity is a Class A company, and covered entities should assess whether they may be further subject to the additional compliance obligations imposed on Class A companies.
  3. Revise current incident response plans to reflect the Proposed Amendments and new notification obligations for ransomware, unauthorized access to privileged accounts, and third-party security events, including the reporting requirements. The revision should also include a justification for what could be labeled as extortion payments.

NYDFS’ Proposed Amendments further evidence that cyber risk is not simply a technical issue. Thus, a company’s entire security team, the board, and the management team must ensure that it remains their mandatory core responsibility. Covered entities must also assess their cybersecurity practices and procedures to ensure they have sufficient controls to comply with these anticipated New York regulatory changes.

Newsletter

Contact Us

Contact Us
Sales Inquiry
​Press Inquiry
​Speaking Inquiry
Job Inquiry

CYBERSECURITY PRACTICE

Assessments
Automotive Industry
Board Consulting
Data Governance
Defense Industrial Base
Due Diligence
Financial Institutions
Incident Response
Pension and Plan Sponsors
Privacy
Tabletops

EDISCOVERY PRACTICE

Consulting
Data Preservation
Expert Witness

Training Practice

DIGITAL BANKING

Assessments
Blockchain

Cryptocurrency
CSO and CRO Advisory
Digital Banking Services
Expert Witness
Regulatory Compliance
Strategy
Training

FORENSICS PRACTICE

Cloud Computing
Consulting
Expert Testimony
Internet of Things
Investigations
Mobile Device
Dispute Resolution Services
Social Media
Server Forensics  

ARTICLES

Browse All L&F Articles
Journal of Law & Cyberwarfare
Books & Publications

WEBINARS

Browse All Webinars
Legal Cyber Academy

RESOURCES

About Us
Events
Search

Law & Forensics © 2021. All Rights Reserved
  • Privacy Policy
  • Legal Notices
Scroll to top

This site uses cookies. By continuing to browse the site, you are agreeing to our use of cookies.

OKLearn more×

Cookie and Privacy Settings



How we use cookies

We may request cookies to be set on your device. We use cookies to let us know when you visit our websites, how you interact with us, to enrich your user experience, and to customize your relationship with our website.

Click on the different category headings to find out more. You can also change some of your preferences. Note that blocking some types of cookies may impact your experience on our websites and the services we are able to offer.

Essential Website Cookies

These cookies are strictly necessary to provide you with services available through our website and to use some of its features.

Because these cookies are strictly necessary to deliver the website, refusing them will have impact how our site functions. You always can block or delete cookies by changing your browser settings and force blocking all cookies on this website. But this will always prompt you to accept/refuse cookies when revisiting our site.

We fully respect if you want to refuse cookies but to avoid asking you again and again kindly allow us to store a cookie for that. You are free to opt out any time or opt in for other cookies to get a better experience. If you refuse cookies we will remove all set cookies in our domain.

We provide you with a list of stored cookies on your computer in our domain so you can check what we stored. Due to security reasons we are not able to show or modify cookies from other domains. You can check these in your browser security settings.

Google Analytics Cookies

These cookies collect information that is used either in aggregate form to help us understand how our website is being used or how effective our marketing campaigns are, or to help us customize our website and application for you in order to enhance your experience.

If you do not want that we track your visit to our site you can disable tracking in your browser here:

Other external services

We also use different external services like Google Webfonts, Google Maps, and external Video providers. Since these providers may collect personal data like your IP address we allow you to block them here. Please be aware that this might heavily reduce the functionality and appearance of our site. Changes will take effect once you reload the page.

Google Webfont Settings:

Google Map Settings:

Google reCaptcha Settings:

Vimeo and Youtube video embeds:

Other cookies

The following cookies are also needed - You can choose if you want to allow them:

Privacy Policy

You can read about our cookies and privacy settings in detail on our Privacy Policy Page.

Privacy Policy
Accept settingsHide notification only

Subscribe to Our Newsletter!

* indicates required







Please select all the ways you would like to hear from Law and Forensics:

You can unsubscribe at any time by clicking the link in the footer of our emails. For information about our privacy practices, please visit our website.

We use Mailchimp as our marketing platform. By clicking below to subscribe, you acknowledge that your information will be transferred to Mailchimp for processing. Learn more about Mailchimp’s privacy practices here.