The New York Department of Financial Services (“NYDFS”) released a “revised proposed second amendment” on June 28 that makes further changes to its Cybersecurity Regulation (“23 NYCRR Part 500”). Part 500 was first enacted in 2017 for entities licensed under NYDFS (e.g. financial institutions, money transmitters, etc.), requiring them to build and maintain written cybersecurity programs for their information systems and the personal data they process.

NYDFS first proposed updates to Part 500 in July 2022, which included requiring: 1) greater independence for covered entities’ chief information security officers, 2) annual risk assessments for covered entities, and 3) increased breach notification requirements. A first proposed second amendment for these updates was released in November 2022.

These latest proposed changes to the second amendment do not appear to significantly alter the updated regulations, but are rather focused on minor changes to various sections and clarifying certain definitions. Comments are due on these changes by August 14, 2023. Some highlights include:  

• Section 500.1: Clarified the definition of “affiliates” to mean only those that share information systems or resources with covered entities;
• Section 500.2(c): In regard to the requirement that covered entities conduct annual audits, NYDFS said the covered entities may use internal or external auditors;
• Section 500.4(c): Further clarified that the CISO only needs to timely report to the board on cybersecurity issues that are material;
• Section 500.4(d): There has been an increased focus through this amendment process on improving the expertise on cybersecurity issues amongst senior level personnel. The latest changes clarified that boards/senior governing bodies only need to provide oversight on cybersecurity issues and do not need to be directly involved in managerial decisions; and
• Section 500.16: Clarified that incident response plans need to be focused on cybersecurity events.

Covered entities under NYDFS should continue to prepare for the enactment of these changes. Our Data Privacy and Cybersecurity practice regularly advises companies on how to meet the requirements of data privacy and cybersecurity frameworks and laws. If you have any questions, please do not hesitate to contact any member of our team.