On Tuesday, November 28 Avi Gesser, Erez Liebermann and Stephanie Thomas of the Debevoise Data Strategy and Security group hosted a webcast that examined the final amendments to Cybersecurity Regulation, 23 NYCRR Part 500, announced by the NYDFS on November 1, 2023. They discussed what changes made it into the final version, and the implications that the final rules have for NYDFS-regulated entities. Important issues covered included:

  • The timing for implementation of the new rules;
  • The final definition of Class A companies and what is required of them;
  • The changes to the multi-factor authentication obligations;
  • The new business continuity and disaster recovery requirements;
  • The final audit and risk assessment procedures; and
  • The revised annual certification obligations and what now constitutes a violation of Part 500.

Our recent blog post on the  final amendments to the NYDFS cyber rules can be read here.

To receive an on-demand recording of the webcast, please click HERE.

To access an on-demand recording of our webcasts on prior drafts of the amendments, please click below:


Avi Gesser is Co-Chair of the Debevoise Data Strategy & Security Group. His practice focuses on advising major companies on a wide range of cybersecurity, privacy and artificial intelligence matters. He can be reached at agesser@debevoise.com.


Erez is a litigation partner and a member of the Debevoise Data Strategy & Security Group. His practice focuses on advising major businesses on a wide range of complex, high-impact cyber-incident response matters and on data-related regulatory requirements. Erez can be reached at eliebermann@debevoise.com


Stephanie D. Thomas is an associate in the Litigation Department and a member of the firm’s Data Strategy & Security Group and the White Collar & Regulatory Defense Group. She can be reached at sdthomas@debevoise.com.