On November 9, 2022, the New York State Department of Financial Services (“DFS”) proposed new amendments to the Cybersecurity Requirements for Financial Services Companies, after DFS received industry feedback on “pre-proposed” versions of the amendments issued on July 29, 2022. The currently proposed amendments revise those pre-proposed amendments, including: by revising the definition of “Class A” companies (who would be subject to heightened cybersecurity requirements) to include only covered entities that have over $20 million in gross annual revenue from business operations in New York in each of the last two fiscal years; by requiring a covered entity’s board of directors to “provide direction” to management regarding the company’s cybersecurity management; and by requiring that a covered entity notify DFS within 72 hours of learning of a cybersecurity incident at a third-party service provider affecting the covered entity. The 60-day notice-and-comment period for the proposed amendments runs until 5:00 P.M. E.S.T. on Monday, January 9, 2023.