Skip to content

Menu

LexBlog, Inc. logo
NetworkSub-MenuBrowse by SubjectBrowse by PublisherJoin the NetworkGet StartedSubscribeSupport
Contact Us
Search
Close

NYDFS Releases Amendment to Cybersecurity Regulation

By Justin Herring, Rajesh De, Steven M. Kaplan, Stephen Lilley, Lauren Pryor, Jeffrey P. Taft & Lauren Williams on November 3, 2023
Email this postTweet this postLike this postShare this post on LinkedIn

On November 1, 2023, the New York Department of Financial Services (“NYDFS”) finalized the amendment to its cybersecurity regulation (the “Amendment”). The Amendment expands cybersecurity requirements across many areas—from governance to incident response to access controls.

The Amendment follows the three published drafts: two proposals published for formal notice and comment in November 2022 and June 2023, and a pre-proposal draft published in July 2022. The final version resembles the June 2023 proposal, but includes a handful of key changes and clarifications. In this Legal Update, we analyze the new requirements introduced in the Amendment.

Continue reading.

Rajesh De

Raj De serves on Mayer Brown’s global Management Committee. He was previously the Managing Partner of Mayer Brown’s Washington DC office, which is comprised of more than two hundred lawyers. He leads the firm’s global Cybersecurity & Data Privacy practice, as well as…

Raj De serves on Mayer Brown’s global Management Committee. He was previously the Managing Partner of Mayer Brown’s Washington DC office, which is comprised of more than two hundred lawyers. He leads the firm’s global Cybersecurity & Data Privacy practice, as well as the firm’s National Security practice, and serves as a member of the firm’s Congressional Investigations & Crisis Management team. After nearly two decades in private practice and public service across all three branches of the United States government, Raj is one of the most trusted voices in Washington. He has held senior appointments in the White House, the Department of Justice (DOJ) and the Department of Defense (DOD). Raj returned to Mayer Brown in 2015 after serving as General Counsel at the United States National Security Agency (NSA). Since returning to the firm, Raj has received numerous recognitions, including by American Lawyer (“Lateral All-Star”), Washingtonian magazine (“Top Lawyer”), The National Law Journal (“Cybersecurity and Data Privacy Trailblazer”), and Cybersecurity Docket (“Incident Response 30”).

Raj focuses his practice on cutting-edge legal and policy issues at the nexus of technology, national security, law enforcement and privacy. He advises clients, including management teams and boards of directors, in connection with crisis management, government and internal investigations, high-stakes litigation, regulatory enforcement matters, and congressional inquiries. Raj provides clients with strategic counseling and practical legal advice, drawing upon a wealth of experience in government service and private practice.

Read Raj’s full bio.

Read more about Rajesh DeEmail
Show more Show less
Photo of Steven M. Kaplan Steven M. Kaplan

Steven Kaplan is a partner in Mayer Brown’s Washington DC office and a member of the Consumer Financial Services group. He concentrates his practice on matters related to consumer financial products and represents clients in federal and state supervisory matters, investigations and enforcement…

Steven Kaplan is a partner in Mayer Brown’s Washington DC office and a member of the Consumer Financial Services group. He concentrates his practice on matters related to consumer financial products and represents clients in federal and state supervisory matters, investigations and enforcement proceedings. He also advises clients on compliance with federal and state laws governing licensing and practices of financial institutions, mortgage lenders, consumer finance companies, loan servicers, prepaid card issuers, payment system providers and secondary market participants. Steven acts as regulatory counsel in connection with investments or acquisitions related to consumer loans and other consumer financial products and performing regulatory compliance due diligence. Additionally, Steven assists with structuring operations and developing compliance management systems and due diligence programs and with litigation involving regulatory compliance matters.

Read Steve’s full bio.

Read more about Steven M. KaplanEmail
Show more Show less
Photo of Stephen Lilley Stephen Lilley

Stephen Lilley is a partner in the Washington DC office of Mayer Brown. He focuses his practice on helping clients navigate cutting-edge and interrelated litigation, regulatory, and policy challenges. A member of the firm’s Litigation and Cybersecurity & Data Privacy practices, Stephen develops…

Stephen Lilley is a partner in the Washington DC office of Mayer Brown. He focuses his practice on helping clients navigate cutting-edge and interrelated litigation, regulatory, and policy challenges. A member of the firm’s Litigation and Cybersecurity & Data Privacy practices, Stephen develops strategies to manage legal risks and to shape regulatory policy across a broad range of substantive areas.

Stephen has significant experience working with clients to identify, evaluate, and manage cybersecurity and data privacy risks; responding to cyber incidents and vulnerability disclosures; and defending businesses in related litigation. Stephen is regularly called upon to advise senior executives and board members on their most challenging cybersecurity risks, to help companies develop governance programs to mitigate those risks, and to lead training exercises to implement and refine those programs. Stephen has particular experience advising on cybersecurity and national security issues relating to the Internet of Things, including vehicles and medical devices, and to manufacturing, critical infrastructure, and other industrial systems. Widely recognized for his cybersecurity law and policy experience, Stephen previously served as Chief Counsel to the Senate Judiciary Committee’s Subcommittee on Crime and Terrorism, where he focused on cybersecurity issues.

Read Stephen’s full bio.

Read more about Stephen LilleyEmail
Show more Show less
Lauren Pryor

Lauren Pryor is a Financial Services Regulatory & Enforcement partner and co-head of the Financial Institutions M&A group.

Lauren focuses on M&A in the financial services industry, including complex stock and asset-based transactions, full equity deals, PE investments, JV arrangements and transfers of…

Lauren Pryor is a Financial Services Regulatory & Enforcement partner and co-head of the Financial Institutions M&A group.

Lauren focuses on M&A in the financial services industry, including complex stock and asset-based transactions, full equity deals, PE investments, JV arrangements and transfers of assets including residential mortgage loans, consumer loans, business purpose loans, mortgage servicing rights and credit card receivables. Lauren frequently represents depository institutions, financial sponsors, mortgage companies and investment funds in such matters.

Read more about Lauren PryorEmail
Show more Show less
Photo of Jeffrey P. Taft Jeffrey P. Taft

Jeffrey Taft is a partner in the Firm’s Financial Services Regulatory & Enforcement group and the Cybersecurity and Data Privacy practice. His practice focuses primarily on bank regulation, bank receivership and insolvency issues, payment systems, consumer financial services and cybersecurity/privacy issues. He has…

Jeffrey Taft is a partner in the Firm’s Financial Services Regulatory & Enforcement group and the Cybersecurity and Data Privacy practice. His practice focuses primarily on bank regulation, bank receivership and insolvency issues, payment systems, consumer financial services and cybersecurity/privacy issues. He has extensive experience counseling financial institutions, merchants, technology companies and other entities on various federal and state banking and consumer credit issues, including compliance with the Bank Holding Company Act, National Bank Act, International Banking Act, Consumer Financial Protection Act, Truth-in-Lending Act, the Fair Credit Reporting Act, the Electronic Fund Transfer Act, the Equal Credit Opportunity Act, the Fair Debt Collection Practices Act, the Real Estate Settlement Procedures Act, state unfair or deceptive acts or practices statutes, CFPB’s UDAAP authority and the development and implementation of privacy, cybersecurity and information security programs under the Gramm-Leach Bliley Act, the NYDFS cybersecurity regulation and industry standards, such as PCI DSS and NIST.

Read Jeff’s full bio.

Read more about Jeffrey P. TaftEmail
Show more Show less
  • Posted in:
    Privacy and Cybersecurity
  • Blog:
    Inside Cybersecurity & Privacy Law
  • Organization:
    Mayer Brown

Call us at 1-800-913-0988 or email sales@lexblog.com.

Facebook LinkedIn Twitter RSS
  • About LexBlog
  • The Field We Built
  • Our Beliefs
  • Our Team
  • Contact LexBlog
  • Disclaimer
  • Editorial Policy
  • Terms of Service
  • Get Started
  • Publishing Solutions
  • Compass
  • Submit a Request
  • Support Center
  • System Status
Copyright © 2026, LexBlog, Inc. All Rights Reserved.
Law blog design & platform by LexBlog LexBlog Logo