The New York Department of Financial Services recently amended its cybersecurity regulations, creating new requirements for covered entities, establishing a new class of covered entity subject to particular requirements, and revising which covered entities may be exempt from certain requirements. The effective date for the majority of changes was November 1, 2023, with other changes becoming effective one month, one year, 18 months, and two years thereafter.
The amendment creates a new class of high-revenue entity that is subject to requirements additional to those required of other covered entities, such as independent audits, but expands the criteria for entities exempt from several of the regulatory provisions. Among other changes, the amended regulations also add new topic areas that a covered entity’s cybersecurity policies must address (e.g., remote access), provide vulnerability testing requirements, establish thresholds for business continuity and disaster recovery plans, revise the method and substance of the annual certification which must now be signed by the covered entity’s highest-ranking executive and its CISO, and create requirements relating to extortion payment events. The amendments further clarify the actions that constitute a violation of the regulations and establish factors that the regulator will consider when assessing penalties.