New York DFS Cybersecurity Regulation Update: ‎Amendments Proposed November 2022 – JD Supra

Licensees of the New York Department of Financial Services (“DFS”) should be tracking the proposed amendments to the DFS Cybersecurity Regulation.  All covered entities under the Regulation will need to revisit their cybersecurity preparedness to satisfy the enhanced regulatory requirements, particularly large entities that meet the definition of “Class A companies” introduced by the proposed amendments.  Importantly for many covered entities, the limited exemption for small entities will be expanded to include more entities, and the threshold based on number of employees and independent contractors will be clarified.
The DFS Cybersecurity Regulation became effective March 1, 2017, with transition periods for various requirements for the next two years.  The currently proposed amendments were published November 9, 2022, with the comment period expiring January 9, 2023.  Once finalized, the proposed amendments will become effective sometime after the comment period ends, upon publication in the State Register. 
Implications for Large Entities
The proposed amendments add the term Class A company to mean:
covered entities with at least $20,000,000 in gross annual revenue in each of the last two fiscal years from business operations of the covered entity and its affiliates in [New York] and:
(1)  over 2,000 employees averaged over the last two fiscal years, including those of both the covered entity and all of its affiliates no matter where located; or
(2)  over $1,000,000,000 in gross annual revenue in each of the last two fiscal years from all business operations of the covered entity and all of its affiliates. 
Class A entities will be subject to the following new or enhanced requirements under the proposed amendments: 
Changes to the Limited Exemption for Small Entities
Fortunately for many small businesses, the proposed amendments increase the thresholds for certain covered entities to qualify for the limited exemption under Section 500.19(a).  If the covered entity meets any one of three different thresholds, based on (i) headcount, (ii) revenue, or (iii) assets, the limited exemption will apply.  The thresholds based on the number of employees and independent contractors of the covered entity and its affiliates is increased from 10 to 20; the threshold based on total assets is increased from $10 million to $15 million. 
For purposes of counting the employees and independent contractors of the covered entity and its affiliates toward the threshold, the DFS Cybersecurity Regulation currently includes only employees and independent contractors “located in New York or responsible for business of the covered entity.”  Unfortunately, the proposed amendments delete this important qualifier, and therefore count all such persons, regardless of location or responsibility.
As a result, more small entities will qualify for the limited exemption, except that more small entities with one or more affiliates will now exceed the threshold based the number of employees and independent contractors.
There is also a threshold for covered entities with less than $5 million in gross annual revenue.  The proposed amendments limit the revenue counted toward this threshold by adding “in this State,” thereby making the limited exemption available to more covered entities. 
The proposed changes to the limited exemption for small entities can be expected to exempt more covered entities from the full menu of requirements imposed by the DFS Cybersecurity Regulation.  It should be emphasized, however, that the limited exemption is limited to many, but not all of the requirements for administrative and technical safeguards; small entities subject to the limited exemption will continue to be subject to many of the requirements of the DFS Cybersecurity Regulation. 
The proposed amendments exclude the requirement for multi-factor authentication under Section 500.12 from the limited exemption.  Therefore, covered entities to which the limited exemption applies, as well as covered entities exempted by the proposed amendments, would be subject to this requirement.
Changes of General Applicability
The proposed amendments include many clarifications, enhancements and other changes that would not impose substantive new requirements, but there are also many changes that may require advance planning by most covered entities. 
Under the proposed amendments, the required notice of a cybersecurity event must provide specific information where the event involved privileged accounts or ransomware, or any extortion payment.  Notice of an extortion payment must be provided within 24 hours, and additional descriptions of the rationale and reasoning for the payment must be disclosed within 30 days.  Information concerning the investigation of a cybersecurity event must be provided within 90 days.  The proposed amendments also formalize the previously stated DFS position that covered entities must file notices of cybersecurity events directly, and cannot have service providers file on their behalf. 
All covered entities will be affected by the proposed amendments to the DFS Cybersecurity Regulation, and will require significant expenditure of resources to comply with new or expanded requirements, and some may be newly eligible for the limited exemptions.
See more »
DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.
© Locke Lord LLP | Attorney Advertising
Refine your interests »
Back to Top
Explore 2022 Readers’ Choice Awards
Copyright © JD Supra, LLC



Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top

Adblock Detected

Please consider supporting us by disabling your ad blocker

Refresh Page