On June 28, 2023, the New York Department of Financial Services (“NYDFS”) published updated proposed amendments to its cybersecurity regulation (the “2023 Proposal”) applicable to “covered entities.”1 Covered entities are any person operating under, or required to operate under, a license, registration, charter, certificate, permit, accreditation or similar authorization under the New York Banking Law, Insurance Law or Financial Services Law. These updated amendments come after comments from industry groups and other stakeholders to the NYDFS’s proposed revisions that were published on November 9, 2022 (the “2022 Proposal”).2 Comments on the 2023 Proposal may be submitted until August 14, 2023.
In this Legal Update, we provide a section-by-section analysis of new requirements in the 2023 Proposal. The 2023 Proposal is extensive and would significantly expand requirements for covered entities. Key new and expanded requirements include: (1) new requirements for larger companies (Class A Companies, as defined below); (2) expanded governance requirements, such as board approval for cybersecurity policies; (3) expanded cyber incident notice and compliance certification requirements; (4) expanded requirements for asset inventory; and (5) a revised multi-factor authentication requirement for user access to a company’s network.