Over the past year, the New York Department of Financial Services (NY DFS or the Department) has worked on several fronts to overhaul its approach to regulating the cybersecurity risk and compliance of New York regulated financial services providers (Covered Entities). Through a combination of guidance, new supervisory tools, enforcement, and now proposed regulations, the Department is embarking on a new era of cybersecurity regulation for financial services. The result is a more stringent regulatory atmosphere in New York with the likelihood of far higher compliance expectations for full compliance.

Proposed Expansion of Cybersecurity Regulations

As the cornerstone in NY DFS's efforts to update its approach to cybersecurity regulation, NY DFS informally proposed significant amendments to its Cybersecurity Requirements for Financial Services Companies (23 NYCRR Part 500) (the Regulations) on July 29, the first proposed updates to the Regulations since they were adopted in 2017. The proposed amendments elevate cybersecurity requirements for large companies, increase Board and C-suite responsibility and accountability, expand breach notification obligations, augment risk assessment requirements, and establish specific business continuity and disaster recovery requirements.

The Department released the "pre-proposed" amendments in draft form for a brief informal comment period, and they have yet to be formally proposed under New York's rule-making process. By taking this approach, NY DFS is likely hoping to make any changes to its initial proposal prior to formally publishing the proposed amendments and subjecting them to the required 60-day public comment period. Once published, the Department will likely be resistant to making any additional substantive changes that would trigger an additional required comment period.