Dear Members,

Today, the New York State Department of Financial Services (DFS) adopted the final amendments to its Cybersecurity Rules (23 NYCRR Part 500). The DFS published two prior proposed versions of the amended regulation and requested comments from industry participants. The amended requirements phase in over time but lenders should be mindful of all of each requirement and the deadlines for implementation.

Released Date: November 1, 2023

To: All Entities Regulated by the New York State Department of Financial Services

Re: Notice on Amended Part 500 Cybersecurity Regulation

Today, the New York State Department of Financial Services (“Department” or “DFS”) adopted amendments to its Cybersecurity Regulation, 23 NYCRR Part 500. The amended regulation incorporates current best practices to better protect businesses and consumers from emerging cyber threats and further tailors the requirements based on businesses’ risks and resources.

DFS is committed to providing its regulated entities with time and assistance to help them successfully come into compliance with these rules to ensure they are better protected from cyber threats.

To enable businesses to prepare for compliance, the new requirements will take effect in phases. Initial updates to existing reporting requirements will go into effect on December 1, 2023, but changes to required policies and procedures will not begin to take effect until April 2024 and rolling thereafter.

Among the changes in the amended regulation are requirements for regulated entities to report cyber ransom payments, implement multifactor authentication technology to better safeguard sensitive data, and enhance cyber governance by adopting new policies and specifying responsibilities for boards and executive management to oversee and manage cyber programs specifically tailored to the risk profile of regulated entities.

In furtherance of the Department’s commitment to ensuring entities understand the new practices outlined in the amended regulation, DFS will host a series of webinars to provide an overview of the amended regulation. Each training session has limited availability, so attendees are encouraged to register in advance.

Webinar information and registration links are available on the Department’s website. A recorded session will be added to this webpage following the scheduled webinars.

Regulatory changes and an implementation timeline can be found on the Department’s Cybersecurity Resource Center. The Department will also send out regular email updates ahead of each of the implementation dates. 

For questions related to the amended regulation, please contact DFS’s Cybersecurity team via email at [email protected].