The New York Department of Financial Services (NYDFS) in November 2022 published a proposal to amend its cybersecurity rules, which will require regulated companies to notify the NYDFS of a third-party cybersecurity incident within 72 hours.

A draft version of the proposal released earlier in 2022 required financial institutions to notify regulators about such incidents within 72 hours. This newer proposal includes this notice requirement, along with an amendment that notice be provided to NYDFS within 24 hours of making a ransom payment to hackers. Furthermore, financial institutions will be required to outline why a ransom payment was necessary, which alternatives were considered, and how federal sanctions implications were assessed.

In addition, the proposals mandate boards of directors at financial institutions to have more oversight into the organization's cybersecurity risks. Boards at banks, insurance companies, and other financial institutions meeting a certain size threshold, will be required to approve cyber policies. Also, financial institutions will have to disclose whether their boards have expertise to oversee cybersecurity risks or identify if they will rely on outside consultants. These mirror the proposed requirements from the Securities and Exchange Commission (SEC). Read NYDFS Press Release.