Reactions to DFS Part 500 Amendments

On November 1, 2023, the New York Department of Financial Services (“NYSDFS”) adopted an amendment (the “Amendment”) to its Part 500 Cybersecurity Regulations (the “Regulations”). The Amendment, like the Regulations, applies to organizations operating or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law, or the Financial Services Law, regardless of whether the entity is also regulated by other government agencies.

Among the Amendment’s key changes is a requirement that covered entities designate a Chief Information Security Officer (“CISO”) who will report to their organizations’ senior governing body or executive (e.g., the board) on “material cybersecurity issues, such as significant cybersecurity events and significant changes to the covered entity’s cybersecurity program.” (Section 500.4). Notably, the Amendment does not define what constitutes “material cybersecurity issues,” “significant cybersecurity events,” or “significant changes” that would necessitate making such report. This lacuna has the potential to sow confusion into the reporting process for CISOs. The Amendment further requires that senior governing bodies of covered entities have direct oversight obligations over their entities’ cybersecurity risk management. (Section 500.4).