DFS Issues Final Amended Cybersecurity Regulation

The NYS Department of Financial Services (DFS), which oversees banks, insurers, and other financial services providers based in the state, has adopted final amendments to its cybersecurity regulation for covered entities, including Continuing Care Retirement Communities (CCRCs).

The final amended regulation can be found here. The agency’s Assessment of Public Comments can be found here. Members may access a summary of the final amended regulation prepared by LeadingAge NY counsel Hinman Straub here.

LeadingAge NY staff worked with affected members to develop and submit comments in response to the original proposed amendments in January 2023, many of which were addressed via the agency’s first-round Assessment of Public Comments and the revised proposed amendments issued in July 2023. However, LeadingAge NY and its membership remained concerned about the burden and cost of compliance for smaller organizations under the purview of DFS, such as CCRCs, and submitted additional comments in August 2023 reiterating the need for the State to ensure sufficient flexibility to allow for appropriate scaling for all covered entities in this and future regulations.

The final requirements expand use of multifactor authentication and other preventative measures to mitigate cybersecurity threats and, according to the Department’s Cybersecurity Resource Center, will take effect in phases:

• Unless otherwise specified, covered entities have 180 days from the date of adoption to come into compliance, or until April 29, 2024.
• Changes to reporting requirements will take effect one month from the date of adoption, on Dec. 1, 2023.
• For certain other requirements, the regulation provides up to one year, 18 months, or two years to come into compliance.
• Cybersecurity Implementation Timelines available from the Resource Center outline key compliance dates for each category of business impacted by the amended regulation:
  • Implementation Timeline for Small Businesses
  • Implementation Timeline for Class A Businesses
  • Implementation Timeline for Covered Entities

Additionally, to help regulated entities plan for compliance, DFS will host a series of webinars providing an overview of the amended cybersecurity regulation. Per the Cybersecurity Resource Center, the “General DFS Training on Part 500 Amendments” webinars are currently scheduled as follows:

• Wed., Nov. 15^th, 2-3:30 p.m. (Register here.)
• Thurs., Nov. 30^th, 11:30 a.m.-1 p.m. (Register here.)
• Thurs., Dec. 7^th, 11 a.m.-12:30 p.m. (Register here.)

LeadingAge NY will continue to analyze the impact of the final regulation on member organizations to identify opportunities to support providers throughout implementation and welcomes member feedback as staff complete their own review.

Contact: Annalyse Komoroske Denio, akomoroskedenio@leadingageny.org, 518-867-8866