United States of America: Opened consultation on Amendment to Cybersecurity Requirements for Financial Services Companies

On 9 November 2022, the New York State Department of Financial Services (NYDFS) published and opened a second consultation on the Amendment to the cybersecurity obligations of financial services companies (23 NYCRR 500) until 9 January 2023. The Amendment includes an update to the definition of cybersecurity risk assessment, outlines the role and obligation of information security officers, obligations regarding vulnerability management, authentication, asset management and data retention, incident response and reporting obligations. The Amendment lists additional obligations for entities with at least USD 20 million in annual revenue, and over 2000 employees or over USD 1 billion in gross annual revenue, over the last two fiscal years. In addition, the Amendment proposes changes to the requirements for the application of limited exemptions, which would concern entities with fewer than 20 employees and less than USD 15 million in annual turnover.