New York State Department of Financial Services

Covered financial institutions now face heightened expectations in relation to cybersecurity governance, risk assessment, and incident reporting.

By Jenny Cieplak, Tony Kim, Arthur Long, Clayton Northouse, Serrin Turner, Yvette D. Valdez, Deric Behar, and Molly Whitman

The New York State Department of Financial Services’ (DFS) amendments (the Amendments) to its cybersecurity regulations, which were adopted last month with the first implementation deadline of December 1, 2023, impose new and enhanced requirements on covered entities.

On November 1, 2023, the DFS announced the Amendments to its regulations that were initially published in 2017 (23 NYCRR part 500). The changes impose more demanding requirements for larger entities, new obligations to report ransomware incidents and payments, and expanded oversight responsibilities for board and senior management. Requirements related to business continuity and disaster recovery have also been included for the first time.

Licensees, exchanges, and other market participants should prepare to comply with the listing, disclosure, capital, and other requirements that the new law imposes.

By Jenny Cieplak, Nima Mohebbi, Parag Patel, Stephen P. Wink, Ian Irlander, Adam Zuckerman, Luca Marquard, and Deric Behar

On October 13, 2023, California Governor Gavin Newsom signed California State Assembly Bill 39, which establishes the Digital Financial Assets Law (DFAL). The new law, which goes into effect on July 1, 2025, makes California only the second state after New York to adopt comprehensive regulation of digital financial assets[1] and associated service providers.

The DFAL authorizes the California Department of Financial Protection and Innovation (DFPI) to administer its provisions and requirements, which apply to the digital asset business activity of a person or entity (Covered Persons) engaging in, or holding itself out as being able to engage in, activities with California residents relating to the exchange, transfer, storage or “administration” of a digital asset,[2] whether indirectly or through a vendor.