AFSA Comments on NYDFS Updated Proposed Cybersecurity Amendment
AFSA’s State Government Affairs team sent a letter to the New York Department of Financial Services (DFS) regarding its recent revised proposed second amendment to the DFS cybersecurity regulations. In the letter, AFSA highlights concerns and suggests clarifications for various sections, including the definition of Chief Information Security Officer (CISO), the use of internal auditors for independent audits, meeting requirements through certification of international cybersecurity standards, clarification on terms like “material inadequacies” and “timely reporting,” and the need for a delayed effective date for compliance due to the significant updates required by the proposed rule amendments.
AFSA also recommended expanding the provision allowing covered entities to meet requirements through the certification of international cybersecurity standards to encompass similar requirements, enhancing flexibility. Additionally, the letter highlighted the burden posed by certain requirements, such as the annual testing of incident response plans with senior officers and executives, advocating for modifications to align the exercise with the roles of those involved to provide unnecessary strain on covered entities, and expressed concerns that the requirement to notify DFS of cybersecurity events at affiliates within 72 hours might be overly broad for multinational corporations.
This letter, along with SGA’s other recent letters, can be found on the direct advocacy section of AFSA’s website.
August 18th, 2023