Cybersecurity Program (Section 500.02). Under the revised rules, a covered entity is free to design a custom tailored cybersecurity program that is appropriate to protect its information systems, nonpublic information, or business operations based on its risk assessment. In the prior version of the proposed rules, specific design parameters for a cybersecurity program outlined the required core functions. This revised section also requires increased transparency of the entity's cybesecurity program by providing the NYDFS Superintendent with the ability to access all documentation and information relevant to the entity's cybersecurity program.

Cybersecurity Policy (Section 5000.03). Under the revised rules, a covered entity is still required to implement and maintain a written document setting forth policies and procedures to protect its information systems and nonpublic information. However, instead of requiring annual review by the entity's board of directors and approval by a senior officer (as required under the original proposed rule), the new rule requires only that the policy be approved by one of either a senior officer, the Covered Entity's board of directors (or an appropriate committee of the board), or an equivalent governing body of the entity. Additionally, the annual review of the cybersecurity policy itself is replaced with a requirement that the policy reflect a covered entity's periodic risk assessment to "allow for revision of controls to respond to technological developments and evolving threats."

Risk Assessment (Section 500.09). Under the revised rules, covered entities are required to conduct a periodic risk assessment of its information systems. The risk assessment must be sufficient to "inform the design of the cybersecurity program" and must address any changes to the entity's information systems, nonpublic information, and business operations, and must account for technological developments and evolving risks, including those specific to entity. The risk assessment must be carried out in accordance with written policies and procedures that address :

Chief Information Security Officer (CISO) and Cybersecurity Personnel and Intelligence (Sections 500.04 and 500.10). Under the revised rules, the CISO is required to submit an annual report to the board of directors (or equivalent governing body), or to a senior officer of the entity if no board of directors (or equivalent governing body) exists, on the entity's cybersecurity program and material cybersecurity risks. Prior to the revision, the CISO report was required bi-annually. The revised rules also clarify that covered entities may utilize third party service providers to manage or oversee the performance of core cybersecurity functions.

Encryption of Nonpublic Information (Section 500.15). The revised rules no longer make encryption the default requirement for the transmission information over external networks. Alternative techniques are allowed based on the risk assessment.

Notices of Superintendent (Section 500.17). The revised rules retain the 72-hour time frame for providing notice to the superintendent that a cybersecurity event has occurred, but functionally delay reporting requirements by delaying the point at which the time begins to run. Instead of requiring reporting within 72 hours of the occurrence of an event, under the revised rules, the covered entity must only report a cybersecurity event within 72 hours of determining that the event:

Confidentiality (Sections 500.18). The revised rules contain a new section covering confidentiality. This new section provides that a covered entity is subject to exemptions from disclosures under "Banking law, Insurance Law, Financial Services Law, Public Officers Law or any other applicable state or federal law." However, the superintendent retains broad access to all documentation and information "relevant" to the entity's cybersecurity program, as discussed in retained Section 500.02 . The purpose of this new inclusion appears to be to shield banks from having aspects of their cybersecurity programs available for discovery in civil litigation, but seems likely to have more broadly reaching implications for cybersecurity transparency.

Exemptions (Section 500.19). Under the revised rules, limited exemptions from penetration testing, audit trail, encryptions, CISO and incident response plan requirements are included for covered entities with: