by Luke Dembosky, Avi Gesser, Erez Liebermann, Caroline Novogrod Swett, Johanna Skrzypczyk, and Mengyi Xu
On November 9, 2022, the New York Department of Financial Services (“NYDFS”) announced the publication of the official proposed amendments to its 2017 Cybersecurity Regulation 23 NYCRR 500 (“Proposed Amendments”). This announcement follows a highly active pre-proposal comment period, during which industry stakeholders shared their thoughts with the NYDFS on the changes under consideration, which we covered here for an Overview, here for a Q and A, and during a webcast. The 60-day public comment period to the Proposed Amendments ends on January 9, 2023. In this blog post, we discuss our initial observations on significant changes between the new release and the pre-proposal.
Highlights of what we learned from the revisions:
- NYDFS took the time to ingest comments and clarify interpretations, so the next round of comments is very important.
- The Revised Proposal softens the definition of Class A companies.
- The Revised Proposal softens the prescriptive requirements around key controls, bringing back some of the risk-based elements of the existing Part 500.
- NYDFS understands that the implementation periods for some technical elements were too aggressive and has softened those requirements.