NY DFS Proposes New Class of Entities and More Detailed Regulations in Second Amendment to Cybersecurity Regulations – Lexology

Review your content’s performance and reach.
Become your target audience’s go-to resource for today’s hottest topics.
Understand your clients’ strategies and the most pressing issues they are facing.
Keep a step ahead of your key competitors and benchmark against them.
add to folder:
Questions? Please contact [email protected]
On November 9, 2022, the New York Department of Financial Services (DFS) published its proposed second amendment to its cybersecurity regulations (23 NY CRR Part 500). This proposal follows a July 29 pre-proposal and comment period. The amendment is available for a sixty-day comment period – until January 9, 2023 – after which the agency may adopt final regulations or issue a further revised version.
The proposal shows that DFS seeks to substantially revise the regulations and add numerous new, stringent, and more detailed obligations. If the final amended regulations look anything like the proposal, DFS will remain at the forefront of cybersecurity regulation, amid proliferating and often concurrent cybersecurity regulations at the state and federal level. The amendments would heighten management involvement in certification; prescribe additional technologies and granular policies across a covered entity’s program; increase audit and testing requirements; and notably expand breach notification requirements. The amendments also propose additional regulations for larger entities – formally classified as “Class A.”
One other possible change merits particular attention. The DFS proposes more explicit criteria for the calculation of penalties. While the increase in transparency will no doubt be welcome, the draft creates several multipliers that could have a profound impact on licensed entities and the regulatory balance. These include a multiplier for every 24 hours of noncompliance of any of the voluminous and detailed requirements, among other grounds for additional charge counts, that could make for disproportionate and potentially absurd fines even for technical peccadillos in which there is no consumer harm (although the draft provides for some consideration of the consumer impact).
While an exhaustive list of the changes is beyond the scope of this post, some of the most significant proposed revisions are highlighted below.
Most of the proposal does not go into effect until 180 days after publication in the New York Register, which itself can occur only after the aforementioned 60 day comment period. The earliest publication could occur is January 9, 2023. However, certain parts of the amendment have different effective dates. The list of effective dates is listed below.

add to folder:
If you would like to learn how Lexology can drive your content marketing strategy forward, please email [email protected].
© Copyright 2006 – 2022 Law Business Research



Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top

Adblock Detected

Please consider supporting us by disabling your ad blocker

Refresh Page