The NYS Department of Financial Services this morning
formally adopted changes to the cybersecurity regulation. This is something we have been anticipating for nearly 18 months. At the same time, it appears they may have emailed every licensed person for whom they have an email address to announce the adoption. You may have received this email.
Here is what you need to know today:
- We are in the process of reviewing the final version of the amendments. This is the third version of the amendments DFS has published, and it is not identical to what they proposed earlier.
- Both previous versions stated that the earliest date compliance will be required is 30 days from today (December 1,) and that deadline only applies to reporting certain types of security breach incidents. Compliance with most of the changes will not be required until May 1, 2024, and some will have later compliance dates. No one has to do anything immediately.
- Once we've analyzed the final version, we will provide the information to members in a variety of media, including blog posts, possibly videos, webinars, meetings with local association boards, and any other methods we can think of that might work.
- We have also met with representatives from DFS about coordinating training on the amended requirements. That training will likely occur in early January.
- Visit the Compliance Resources section at
www.biginy.org/cyber and the
Cyber category in the Newsfeed section of our website which can be found by dragging your cursor over the News link in the upper right corner. We have content about the previous two versions in those locations.
- Above all, please know that we're on top of this and there is absolutely no need for you to do anything right now.
We will post additional information here as soon as we have it ready.