State Regulatory Developments

New York DFS Proposes Amendments to Cybersecurity Regulations

The New York Department of Financial Services (NYDFS) has proposed amendments to its cybersecurity regulations which are now open to public comment.  Among other changes, the proposed amendments include new notice requirements for covered entities after cybersecurity events and extortion payments, and changes in the definitions of both smaller and larger companies.  More small businesses would fit under the “limited exemptions” section, and a new tier of large company called “Class A” would have additional regulatory requirements.  The proposed amended regulation also includes requirements for enhanced business continuity and disaster recovery planning.

New notice requirements would give a covered entity 90 days from its already required notice within 72 hours of a cybersecurity event to NYDFS to provide supplementary information on the event investigation.  An additional notice is proposed for a covered entity to provide notice to NYDFS within 72 hours of learning of a cybersecurity event at any of its third party service providers.

The proposed amended regulation also includes a required notice to NYDFS within 24 hours of making any extortion payment.  And, within 30 days after that payment, the covered entity would have to provide certain information to the NYDFS including: (i) describing reasons for necessity of the payment; (ii) describing any considered alternatives to the payment and the efforts to find payment alternatives; and (iii) describing any efforts to ensure compliance with OFAC.

There would be more small businesses included in the limited exemption from parts of the regulation.  The amendments propose increasing the limited exemption for companies with: (i) fewer than 20 employees and independent contractors (up from 10); (ii) less than $5,000,000 in gross annual revenue in New York in each of the last three years; and (iii) less than $15,000,000 in total year-end assets (up from $10,000,000).

The public comment period ends on January 9, 2023.