New York DFS Announces Updated Cybersecurity Regulation 

cybersecurity regulationThe proposed amended regulation will have a 60-day comment period, ending Jan. 23, 2023.

11/10/2022 8:00 A.M.

2 minute read

Superintendent of Financial Services Adrienne A. Harris announced in a press release this week that the New York State Department of Financial Services (DFS) proposed an updated cybersecurity regulation.

DFS’s original regulation, introduced in 2017, established a regulatory model that is now used by both federal and state financial regulators. The department has taken a data-driven approach to amending regulation to ensure that regulated entities address new and increasing cybersecurity threats with the most effective controls and best practices to protect consumers and businesses, according to the release.

“With cyber-attacks on the rise, it is critical that regulation keeps pace with new threats and technology purpose-built to steal data or inflict harm,” Harris said. “Cyber criminals go after all types of companies, big and small, across industries, which is why all of our regulated entities must comply with these standards—whether a bank, virtual currency company, or a health insurance company.”

The proposed amended regulation aims to strengthen the DFS risk-based approach to ensure cybersecurity risk is integrated into business planning, decision-making and ongoing risk management.

Further changes in the proposed regulation include:  

  • The creation of three tiers of companies, further tailoring the regulation to a diverse set of businesses with different defensive needs.
  • Enhanced governance requirements, which increase accountability for cybersecurity at the board and C-suite levels.
  • Additional controls to prevent initial unauthorized access to technology systems and to prevent or mitigate the spread of an attack.
  • Requiring more regular risk and vulnerability assessments, as well as more robust incident response, business continuity and disaster recovery planning.
  • Directing companies to invest in regular training and cybersecurity awareness programs that are relevant to their business model and personnel.

Over the past few months, DFS has solicited feedback on proposed amendments from other regulators, industry groups, and regulated entities through the recent Cybersecurity Symposium, industry conferences and meetings, according to the release.

The proposed amended regulation will have a 60-day comment period, ending Jan. 23, 2023.

A copy of the proposed amended regulation is available on the DFS website.

If you have executive leadership updates or other member news to share with ACA, contact our communications department at [email protected]. View our publications page for more information and our news submission guidelines here.



Payment Vision



This site uses cookies. By continuing to use our site, you are agreeing to our use of cookies. Review our Privacy Policy for more information. You may change your preferences on how cookies are stored by reviewing the settings on your browser.

The content on this site is presented for educational, general reference, and informational purposes only; is not intended to serve as legal or other advice; is not intended to be a full and exhaustive explanation of the law in any area; and should not replace the advice of your own legal counsel. By continuing to use our site, you are agreeing to the legal disclaimers in our Terms of Use. Review our Terms of Use for more information.

Friendly Reminder

Get continued access to ACA International’s wide array of resources, which can help you become more profitable, compliant and successful.

Renew your membership today to take advantage of tools you won’t find anywhere else:

  • Discounts on seminars, products, services and events
  • Resources to strengthen your compliance department
  • Industry-specific risk management products and services
  • Participation in ACA’s online community, The Hub
    Members-only website content
  • Professional development and training opportunities, and so much more!

If you have completed your renewal, please disregard this reminder.