|
Date: November 6, 2023
To: Subscribers to New York State Department of Financial Services Cybersecurity Updates
Re: Amended Part 500 Cybersecurity Regulation
Last week, the New York State Department of Financial Services (“Department” or “DFS”) adopted amendments to its Cybersecurity Regulation, 23 NYCRR Part 500. The amended regulation incorporates current industry practices to better protect businesses and consumers from cyber threats and further tailors the requirements based on businesses’ risks and resources.
DFS is committed to providing its regulated entities with time and assistance to help them successfully come into compliance with these rules to ensure they are better protected from cyber threats.
To enable businesses to prepare for compliance, the new requirements will take effect in phases. Initial updates to existing reporting requirements will go into effect on December 1, 2023, but changes to required policies and procedures will not begin to take effect until April 2024 and rolling thereafter.
Among the changes in the amended regulation are requirements for regulated entities to report cyber ransom payments, implement multifactor authentication technology to better safeguard sensitive data, and enhance cyber governance by adopting new policies and specifying responsibilities for boards and executive management to oversee and manage cyber programs specifically tailored to the risk profile of regulated entities.
The Department will send out regular email updates to regulated entities and subscribers ahead of each of the implementation dates. Further information and compliance resources can be found on DFS's Cybersecurity Resource Center.
| 
