On November 1, 2023, the New York State Department of Financial Services adopted the Second Amendment to its Cybersecurity Regulation, expanding a number of requirements imposed under its existing cybersecurity regime for cybersecurity governance, security practices, and notifications to DFS, among other requirements. The amendment represents the most significant expansion of the Cybersecurity Regulation since it became effective in 2017. Covered entities subject to the Cybersecurity Regulation generally must come into compliance within 180 days from the date of adoption, i.e., April 29, 2024, except that certain provisions allow for longer timeframes, and the new notification requirements will take effect on December 1, 2023.