Privacy & Information Security Law Blog

On November 1, 2023, New York Governor Hochul announced that the New York State Department of Financial Services (“NYDFS”) amended its Cybersecurity Regulation applicable to covered financial institutions. Our previous blog post covered key proposed changes to the Cyber Regulation.

The NYDFS, which regulates financial institutions including insurance companies, mortgage brokers and banks, adopted the original Cybersecurity Regulation in 2017. The new amendments strengthen the initial framework and require NYDFS-regulated entities to adhere to a number of additional prescriptive data security requirements, including adopting controls to prevent unauthorized access to information systems, conducting more regular risk assessments, maintaining robust incident response planning procedures, and adhering to updated notification requirements, such as the new requirement to report ransomware extortion payments to NYDFS within 24 hours of the payment.

The amended Cybersecurity Regulation will take effect in phases. Regulated entities generally have until April 29, 2024 to comply with the amended Regulation. Notably, however, the new reporting requirements will take effect sooner, on December 1, 2023. For certain other requirements, regulated entities will have between one and two years to reach compliance. Specific compliance dates can be found on the NYDFS Cybersecurity Resource Center website.

In the coming weeks, NYDFS will host an upcoming series of training sessions on the amended Cybersecurity Regulation to help regulated entities plan for compliance.