Review your content’s performance and reach.
Become your target audience’s go-to resource for today’s hottest topics.
Understand your clients’ strategies and the most pressing issues they are facing.
Keep a step ahead of your key competitors and benchmark against them.
add to folder:
Questions? Please contact [email protected]
On Nov. 9, 2022, the New York Department of Financial Services (NYDFS) issued a proposed second amendment to its 2017 cybersecurity regulation for financial service companies.[1] In July 2022, NYDFS issued a draft version of the changes, but the current amendment has significant changes. Most of the proposed changes will take effect 180 days after final regulation adoption, likely soon after the comment period closes on Jan. 9, 2023, making most new regulations effective after July 8, 2023.[2]
Go-To Guide:
The proposed amendments move beyond administrative and technical safeguards to granular regulations on cybersecurity governance and risk management. Additionally, NYDFS places stricter requirements, detailed below, on larger financial services companies, “Class A Companies.” Class A Companies are those with greater than or equal to $20 million in New York gross annual revenue in the last two fiscal years, and either: greater than 2,000 employees (including affiliate’s employees), or greater than $1 billion in gross annual revenue (including affiliate revenue) globally in the last two fiscal years. With the new regulations expected to take effect in 2023 (potentially as early as March for sections with a 30-day implementation timeline), companies should begin planning and budgeting for the changes now to avoid legal compliance risks.
New Requirements for All Covered Entities:
New Requirements for Class A Companies:
The proposed amendments also provide changes to the limited exemptions for small companies. An entity (including affiliates) with either fewer than 20 employees (including independent contractors) or less than $15 million in year-end total assets, is exempt from the following regulation sections: 500.4 (CISO requirements), 500.5 (penetration testing and vulnerability assessments), 500.6 (audit trails), 500.8 (application security), 500.10 (cybersecurity personnel), 500.14 (training and monitoring), 500.15 (encryption), and 500.16 (BCDR & IRP Plans).
NYDFS has taken note of the comments submitted to the original draft changes published in July; while they retained many of the proposed changes, the new version provides clarifications, relaxes some of the implementation timelines, and removes certain requirements for Class A Companies (such as weekly vulnerability scans and requiring password vaults for privileged access).
add to folder:
If you would like to learn how Lexology can drive your content marketing strategy forward, please email [email protected].
© Copyright 2006 – 2023 Law Business Research
