On November 9, 2022, New York Department of Financial Services (NYDFS) Superintendent Adrienne Harris announced that the NYDFS formally proposed an updated cybersecurity regulation.  Although the updates had previously been released in draft form, the formal announcement commences the 60-day comment period. 

The proposed regulations would create three different tiers of companies based on their size, operations, and nature of their businesses.  The compliance obligations of those different tiers would vary, but in general, the proposed regulations would:

  • Enhance governance requirements in an attempt to increase accountability for cybersecurity at the Board and C-Suite levels;   
  • Require controls to prevent initial unauthorized access to technology systems and to prevent or mitigate the spread of an attack;   
  • Require more regular risk and vulnerability assessments, as well as more robust incident response, business continuity and disaster recovery planning; and   
  • Direct companies to invest in regular training and cybersecurity awareness programs that are relevant to their business model and personnel.   

Companies now have 60 days to submit comments to these proposed regulations, after which NYDFS will either propose a revised version or adopt the final regulation.  However, even though the final regulation may still change, companies should be assessing their current compliance regimes – including whether their policies are properly documented in a fashion likely to satisfy legal regulators.