New York Department of Financial Services Publishes Proposed Second Amendment to Its Cybersecurity Regulation

On Nov. 9, 2022, the New York State Department of Financial Services (NYDFS) published a proposed second amendment to its cybersecurity regulation. This follows its pre-proposed amendment that was published on July 29. Our prior analysis of those amendments is available here. NYDFS did consider comments received in response to the pre-proposed amendments, as they clarify and strengthen certain requirements. We highlight some of the key changes.

Additional Incident-Reporting Requirements

The first pre-proposed amendment requires notification to NYDFS within 72 hours of unauthorized access to privileged accounts or the deployment of ransomware within a material part of a covered entity’s information systems. The amendment also proposed a new 24-hour notification obligation in the event a ransom payment is made and a 30-day requirement to provide a written description of why the payment was necessary, alternatives considered and sanctions diligence conducted. Those stringent timelines are maintained in the second amendment, with additional reporting requirements:

90 days – Within 90 days of the notice of

Read more

Explore the site

More from the blog

Latest News