On Nov. 9, 2022, the New York State Department of Financial Services (NYDFS) published a proposed second amendment to its cybersecurity regulation. This follows its pre-proposed amendment that was published on July 29. Our prior analysis of those amendments is available here. NYDFS did consider comments received in response to the pre-proposed amendments, as they clarify and strengthen certain requirements. We highlight some of the key changes.
Additional Incident-Reporting Requirements
The first pre-proposed amendment requires notification to NYDFS within 72 hours of unauthorized access to privileged accounts or the deployment of ransomware within a material part of a covered entity’s information systems. The amendment also proposed a new 24-hour notification obligation in the event a ransom payment is made and a 30-day requirement to provide a written description of why the payment was necessary, alternatives considered and sanctions diligence conducted. Those stringent timelines are maintained in the second amendment, with additional reporting requirements:
90 days – Within 90 days of the notice of