Skip to main content

New York Delays Cybersecurity Rules for Banks/Insurers Until March 1, 2017

The New York State Department of Financial Services has announced -- much to the relief of the multitude of financial services companies and insurers regulated by DFS -- that it will revamp its recently proposed cybersecurity rule.  After receiving more than 150 letters and taking into account recent public comments, the NYDFS has decided to revise its initial proposed rule to address public comments and concerns and to scale back some of the proposed standards.

As we previously wrote, the NYDFS had announced its original proposed rule in September.  The initial proposed rule, which was due to go into effect on January 1, 2017, has immediately received criticism from financial institutions.  The industry was concerned that the rule failed to distinguish between large and small financial institutions, and that it may further conflict with future federal regulations on cybersecurity.  In response to recent public comments, the department has agreed to ease certain requirements for encrypting data and breach notification, to name a few.   In particular, encryption requirements have been stepped back to provide that in the event encryption is found to be “infeasible” for some sensitive data, entities can provide an alternate method of security for the data, approved by the company’s Chief Information Security Officer.

Other notable revisions include:  A limited small business exemption, risk-based assessments, clarification with respect to the role and function of the Chief Information Security Officer, less strict audit trails requirement, and what triggers the 72-hour reporting period to notify the department of a cybersecurity event.  The full text of the proposed rule can be found here.

The rule will again be subject to a 30-day comment period.  The department will focus its final review on new comments not raised previously.

Once implemented, this will be the first rule of its kind in the United States.  All financial institutions under the jurisdiction of NYDFS—including banks, lenders, insurers, mortgage companies, and money services businesses—should carefully evaluate the requirements and consider submitting public comments.  Once the rule goes into effect on March 1, 2017, financial institutions will need to ensure compliance within 6 months to 2 years (depending on the applicable tier).

 

Subscribe To Viewpoints

Authors

Cynthia J. Larose

Member / Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.
Natalie A. Prescott is a Mintz attorney and Certified Information Privacy Professional. She defends clients in high-stakes product liability matters, UCL § 17200 and false advertising cases, mass torts, and consumer class actions. Natalie also handles MDL proceedings and product liability litigation.