Printed from

NY seeks comment on proposed cyber regulation amendment

Posted On: Jul. 11, 2023 11:42 AM CST


Companies have until Aug. 14 to comment on the latest proposed amendment to New York’s cyber regulation that, among other measures, would differentiate companies by size and other factors.

The second amendment to the New York State Department of Financial Services cybersecurity regulation, 23 NYCRR Part 500, which went into effect in 2017, was issued on Nov. 9, 2022, with a comment period that ended Jan. 9.

The departments issued a revised proposal on June 28, with a 45-day comment period.  The final regulation is expected around the end of the year.

Among the changes proposed in November is the creation of three tiers of companies, enhanced governance requirements and additional controls to prevent initial unauthorized access to systems.

Dan Pepper, a partner with Norton Rose Fulbright US LLP in New York, said one of the issues that he thinks still needs additional revision is a requirement that incident response plans for covered entities be ultimately approved by companies’ board of directors.

That is “not something they would typically be involved with,” he said. Instead, boards are generally advised by senior management on this issue, and requiring board approval is “unrealistic,” he said.

Observers say the changes between the November and June releases are not dramatic. The newest version “clarifies or tweaks the earlier proposal and indicates that the agency was receptive to some of the feedback it received,” said Mark H. Francis, a partner with Holland & Knight LLP, in a statement.

Micaela R.H. McMurrough, a partner with Covington & Burling LLC in New York, said she does not expect major changes in the final draft. “I would think they are moving closer to the final draft,” she said.

Ms. McMurrough said the November changes, and the more recent June refinements, reflect the wide variety and size of companies covered by the regulation and recognizes that cyber incidents will occur “and how companies behave in the wake of an incident is important going forward.”