The New York State Department of Financial Services has announced -- much to the relief of the multitude of financial services companies and insurers regulated by DFS -- that it will revamp its recently proposed cybersecurity rule. After receiving more than 150 letters and taking into account recent public comments, the NYDFS has decided to revise its initial proposed rule to address public comments and concerns and to scale back some of the proposed standards.
As we previously wrote, the NYDFS had announced its original proposed rule in September. The initial proposed rule, which was due to go into effect on January 1, 2017, has immediately received criticism from financial institutions. The industry was concerned that the rule failed to distinguish between large and small financial institutions, and that it may further conflict with future federal regulations on cybersecurity. In response to recent public comments, the department has agreed to ease certain requirements for encrypting data and breach notification, to name a few. In particular, encryption requirements have been stepped back to provide that in the event encryption is found to be “infeasible” for some sensitive data, entities can provide an alternate method of security for the data, approved by the company’s Chief Information Security Officer.
Other notable revisions include: A limited small business exemption, risk-based assessments, clarification with respect to the role and function of the Chief Information Security Officer, less strict audit trails requirement, and what triggers the 72-hour reporting period to notify the department of a cybersecurity event. The full text of the proposed rule can be found here.
The rule will again be subject to a 30-day comment period. The department will focus its final review on new comments not raised previously.
Once implemented, this will be the first rule of its kind in the United States. All financial institutions under the jurisdiction of NYDFS—including banks, lenders, insurers, mortgage companies, and money services businesses—should carefully evaluate the requirements and consider submitting public comments. Once the rule goes into effect on March 1, 2017, financial institutions will need to ensure compliance within 6 months to 2 years (depending on the applicable tier).