The New York Department of Financial Services (“NYDFS”) – a leading rule maker in the cybersecurity world -- has released proposed revisions to its Cybersecurity Requirements For Financial Services Companies (the “Regulation”). The changes, which are likely to take effect in 2023, are substantial. Among other things, your company’s information security team will have to redesign its risk assessment process, procure new technologies for system penetration testing, involve senior management in new ways, notify NYDFS of unauthorized access to privileged accounts, rewrite policies and procedures, and more. To help clients get ready, our Privacy & Data Security Group will be writing a series of blog posts that do a "deep dive" into the proposed changes.

If you’re not familiar with the NYDFS, it is the leading US regulator in cybersecurity. NYDFS regulations have been copied in whole or in part by the FTC, the NY Attorney General, and the National Association of Insurance Commissioners, and appear to have been used as guideposts by the FTC and the NY Attorney General for their regulatory enforcement. The NYDFS aggressively enforces its existing regulations – for example, the NYDFS imposed a $4.5MM penalty against a company after finding that one access control failure contributed to the exposure of hundreds of thousands of consumer nonpublic personal health information. (See our summary of the EyeMed Consent Order.)  Businesses in New York and elsewhere need to understand the proposed changes because the models developed for NYDFS compliance are usable across regulations and demonstrate best practices.

Here is what is coming in this 6 part series: 

Again, we will break down some of the proposed new rules in a series of posts beginning tomorrow. If you want to get ahead, you can begin by reviewing the proposed new regulations here. As always, if you have any questions about privacy and data security, contact Rick Borden at (212) 705-4884 or, Daniel Goldberg at (310) 579-9616 or, Saphya Council at (212) 826-5575 or, or any other member of the Frankfurt Kurnit Privacy & Data Security Group.