CLS Blue Sky Blog

Morrison & Foerster Discusses Impact of New York Amendments to Cybersecurity Regulation

The New York Department of Financial Services (NYDFS) has finalized amendments (“Amended Regulation”) to its cybersecurity rule (“Cybersecurity Rule”) that applies to financial institutions licensed by the NYDFS. This comes after a series of proposed amendments (see our client alert, 8/30/22). The Amended Regulation includes significant changes to the Cybersecurity Rule, such as: enhanced notification requirements for cybersecurity incidents and extortion payments; requirements for more regular risk assessments; additional controls to prevent unauthorized access to information systems; and requirements for monitoring and filtering emails, as well as for annual training.

NYDFS has been and remains a bellwether regulator for cybersecurity regulation, and the rules it adopts often serve as a model for other regulators. In 2017, NYDFS was one of the first state financial regulators to impose cybersecurity requirements on covered entities. Through the Amended Regulation, NYDFS continues to break new ground by, among other things, expanding notification obligations for cybersecurity incidents, imposing heightened cybersecurity program requirements for certain large financial institutions, and creating new requirements for cybersecurity programs, such as wider-scoped multifactor authentication, privileged account controls, and more detailed asset inventories. The Amended Regulation raises the benchmark for cybersecurity regulations and provides a model for other regulators to adopt.

Enhanced Notification Obligations of Certain Incidents

The new amended notification rule also imposes new regulations with respect to third-party service providers of covered entities. While the pre-Amended Regulation notice rule governed covered entities’ responses to “cybersecurity events,”[7] such entities are now required to notify the NYDFS Superintendent “as promptly as possible” but no later than 72 hours after determining a “cybersecurity incident” (as defined above) has occurred “at the covered entity, its affiliates, or a third party service provider.”[8] These changes are similar to the United States Securities and Exchange Commission’s new Cybersecurity Disclosure Rule, which requires covered entities to report cybersecurity incidents that occur at their third-party service providers.[9] Consequentially, the Amended Regulation, in effect, imposes additional downstream pressure on third-party service providers who work with covered entities to ensure they notify their customers of triggering cybersecurity incidents. Compliance is required by December 1, 2023.

Heightened Risk Assessment Requirements

The Amended Regulation includes material changes to the risk assessment requirements under the Cybersecurity Rule. In particular, the Amended Regulation expands upon the definition of “Risk Assessment” by stating that a Risk Assessment means “the process of identifying, estimating and prioritizing cybersecurity risks to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, customers, consumers, other organizations, and critical infrastructure resulting from the operation of an information system. Risk Assessments incorporate threat and vulnerability analyses and consider mitigations provided by security controls planned or in place.”[14] The Amended Regulation will now require that a Risk Assessment be reviewed and updated as reasonably necessary, but at a minimum annually, and whenever a change in the business or technology causes a material change to the covered entity’s cyber risk.[15] Compliance is required by April 29, 2024.

Cybersecurity Program Requirements

The Amended Regulation includes a number of new or enhanced technical requirements to the Cybersecurity Rule, including:

Compliance is required by May 1, 2025.

New Governance Obligations

The Amended Regulation provides for several new or enhanced governance obligations, including:

Compliance is required by December 1, 2023. 

New Obligations for Larger (Class A) Companies

The Amended Regulation creates additional obligations on a new category of covered entities, i.e., “Class A Companies,” defined as a covered entity with at least $20 million in gross annual revenue in each of the last two fiscal years from all business operations of the covered entity and the business operations in New York of the covered entity’s affiliates and: (i) over 2,000 employees averaged over the last two fiscal years, including employees of both the covered entity and all of its affiliates no matter where located; or (ii) over $1 billion in gross annual revenue in each of the last two fiscal years from all business operations of the covered entity and all of its affiliates no matter where located.[43]Class A Companies are subject to the following additional requirements under the Amended Regulation:

Enforcement and Penalty Clarifications


According to the New York governor’s press release, the administration is “doubling down on [its] commitment to ensuring that financial institutions have safeguards in place to protect vital customer data and maintain the integrity of [the] financial system.” The Amended Regulation is effective as of November 1, 2023, and covered entities have 180 days from November 1, 2023 to comply with the Amended Regulation, with the exception that some provisions, as noted above, have a compliance date ranging from 30 days to two years from the effective date.

This relatively short implementation window, coupled with NYDFS’s status as a leader in cyber regulations may encourage other regulators to follow its lead, meaning that companies should understand how the Amended Regulation will impact their operations and compliance regimes. The expanded notification obligations relating to cybersecurity incidents, the additional requirements for cybersecurity programs, and the enhanced requirements for Class A Companies are likely to become increasingly commonplace in cyber regulations issued by other regulators and we expect the impact of the Amended Regulation will be felt far beyond the boundaries of New York.


[1] Section 500.17(a).

[2] See Section 500.1(e) (defining “covered entity” as any company that is required to register under New York’s Banking Law, Insurance Law, or Financial Services Law).

[3] Section 500.17(a)(1).

[4] See Section 500.1(f) (defining “cybersecurity event”).

[5] Section 500.1(g).

[6] Section 500.17(a)(2).

[7] See Section 500.1(f) (defining “cybersecurity event” as “any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an information system or information stored on such information system”).

[8] Section 500.17(a)(1).

[9] See Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Release No. 33-11216 (July 26, 2023) at 78–79, 170 (defining “information systems” to include electronic systems “owned or used by” a company—which includes third parties’ systems).

[10] Section 500.17(c)(1).

[11] See 6 U.S.C. 681b(a)(2).

[12] Id.

[13] Section 500.17(c)(2).

[14] Section 500.1(p).

[15] Section 500.9.

[16] Section 500.13(a).

[17] Id.

[18] Sections 500.13(a)(1)–(2).

[19] Section 500.7(a)(1).

[20] Section 500.7(a)(2).

[21] Section 500.7(a)(3).

[22] Section 500.7(a)(4).

[23] Id.

[24] Section 500.7(a)(5).

[25] Section 500.7(a)(6).

[26] Section 500.7(b).

[27] Section 500.12(a).

[28] Section 500.12(b).

[29] Id.

[30] Section 500.12(a).

[31] Section 500.12(b).

[32] Id.

[33] Section 500.14(a).

[34] Id.

[35] Section 500.1(q).

[36] Section 500.4(d).

[37] Section 500.4(c).

[38] Section 500.3.

[39] Section 500.17(b).

[40] Section 500.17(b)(1).

[41] Section 500.16(a).

[42] Section 500.16(a)(2).

[43] Section 500.1(d).

[44] Section 500.2(c).

[45] Section 500.7(c).

[46] Section 500.14(b).

[47] Section 500.20(b).

[48] Sections 500.20(b)(1)–(2).

[49] Section 500.20(c).

[50] Id.

This post comes to us from Morrison & Foerster LLP. It is based on the firm’s memorandum, “The Actual and Possible Impact of New York State Department of Financial Services Amendments to Its Cybersecurity Regulation,” dated December 7, 2023, and available here. 

Exit mobile version