NYDFS Amends Cybersecurity Program Requirements

The New York State Department of Financial Services ("NYDFS") adopted amendments to Regulation 23 Part 500 ("Cybersecurity Requirements for Financial Service Companies") applicable to entities that operate under a license or registration provided under New York Banking Law, Insurance Law or Financial Services Law ("covered entities").

Under the amendments, covered entities must designate a Chief Information Security Officer ("CISO"), implement risk-based policies, and provide regular cybersecurity awareness training for all personnel. Additionally, NYDFS said that covered entities are required to notify the superintendent of any cybersecurity incident within 72 hours of determining that an incident had occurred.

NYDFS said that covered entities are allowed to utilize a qualified third-party service provider to assist in complying with the requirements of the rule, subject to certain conditions. These conditions include that the covered entity must (i) be responsible for compliance, (ii) identify a senior member of the entity's personnel responsible for overseeing the service provider and (iii) ensure that the service provider maintain a cybersecurity program that protects the covered entity.

New York State Chief Cyber Officer Colin Ahern described the amendments as "strengthen[ing] NYDFS' risk-based approach to ensure that cybersecurity is integrated into regulated entities' business planning, decision-making, and ongoing risk management."

The amendments became effective upon publication on November 1, 2023.