Upcoming Publication of New NYDFS Cybersecurity Requirements for Financial Services Companies

The Second Amendment to the New York Department of Financial Services’ (“NYDFS”) Cybersecurity Requirements for Financial Services Companies (the “NYDFS Requirements”) is expected to be published in final form in the next two weeks. The Second Amendment will follow updated proposed amendments to the NYDFS Requirements published on June 28, 2023 (the “2023 Proposal”),¹ which were revised after the proposed amendments were first formally published on November 9, 2022.² The comment period for the 2023 Proposal ended on August 14, 2023.

The New York State Administrative Procedure Act (“SAPA”) ordinarily requires an agency to adopt a proposed rule within one year of the publication in the state register of the notice of proposed rulemaking, or else the proposed rule expires.³ We expect that NYDFS will seek to finalize the Second Amendment prior to November 9. As New York State typically publishes new regulations on Wednesdays, we can expect the NYDFS to publish the final amendment on November 1 or 8.

We expect few changes between the final regulation and the 2023 Proposal. SAPA requires a notice and comment period for substantive changes to proposed rules prior to publication, which means the final rule should not contain any new requirements that were not subject to notice and comment.⁴ The changes in the final regulation are therefore likely to be clarifications to, or narrowing of, the new requirements in the 2023 Proposal.

In anticipation of the upcoming final regulation, please see our past publications on the NYDFS Requirements:

• Mayer Brown, The Newly Revised NYDFS Cyber Requirements for Financial Services Companies What you Need to Know About the Proposal (July 12, 2023), available at The Newly Revised NYDFS Cyber Requirements for Financial Services Companies What you Need to Know About the Proposal | Perspectives & Events | Mayer Brown.
• Mayer Brown, NYDFS Expands Cybersecurity Requirements for Licensed Financial Services Companies (July 6, 2023), available at NYDFS Expands Cybersecurity Requirements for Licensed Financial Services Companies | Perspectives & Events | Mayer Brown.
• Mayer Brown, Cyber Spotlight: NYDFS Cybersecurity Regulation – What Do the Proposed Changes and Increasing Enforcement Mean for Covered Entities? (October 11, 2022), available at Cyber Spotlight: NYDFS Cybersecurity Regulation – What Do the Proposed Changes and Increasing Enforcement Mean for Covered Entities? | Perspectives & Events | Mayer Brown.

¹ NYDFS, Updated Proposed Second Amendment to 23 N.Y.C.R.R. pt. 500 (June 28, 2023), https://www.dfs.ny.gov/system/files/documents/2023/06/rev_rp_23a2_text_20230628.pdf; NYDFS, Cybersecurity Requirements for Financial Services Companies XLV (No. 26) N.Y. Reg. 23-27 (June 28, 2023), https://dos.ny.gov/system/files/documents/2023/06/062823.pdf.

² NYDFS, Cybersecurity Requirements for Financial Services Companies XLIV (No. 45) N.Y. Reg. 26-28 (Nov. 9, 2022), https://dos.ny.gov/november-9-2022vol-xliv-issue-45.

³ State Administrative Procedure Act, §202.2(a), available at NYS Open Legislation | NYSenate.gov.

⁴ State Administrative Procedure Act, §202.4-a, available at NYS Open Legislation | NYSenate.gov.