On December 28, 2016, the New York Department of Financial Services ("DFS") published revisions to its proposed cybersecurity regulation for financial services companies. The revisions amend the regulation initially proposed earlier this fall. Similar to the initial version of the proposed regulation, the revision continues to apply to "covered entities" (generally, regulated financial institutions that include both New York licensees and New York chartered banks). As detailed in the DFS Assessment of Public Comments (summarizing over 150 comments on the proposed rule), a number of revisions were made to the regulation, including:
- The effective date of the regulation has been set at March 1, 2017. The final version of the regulation will be finalized following a 30 day comment period.
- The DFS has clarified that certain elements of the regulation (such as the cybersecurity program and policy requirements in §§ 500.02 and 500.03, penetration testing and vulnerability assessments in § 500.05, audit trail provisions in § 500.06, access privileges in § 500.07, third party service provider security policy requirements in § 500.11, multi-factor authentication in § 500.12, and encryption requirements in § 500.15) are intended to be risk-based and tied to the covered entity's risk assessment. However, the DFS has made it clear that the risk assessment revisions to the regulation should not be used as cost/benefit means of identifying "acceptable losses" when complying with the revised regulation.
- The definition of what constitutes "nonpublic information" has been revised, including changes to what types of personally-identifiable information will be considered nonpublic information.
- The revised regulation specifies that a covered entity ensure that it have an individual who fulfills the responsibilities of the Chief Information Security Officer ("CISO"), while clarifying that a new hire or exclusively-designated individual is not required for the CISO role.
- The revised regulation includes several limited exemptions, including one for covered entities that do not control, generate, or receive nonpublic information and another for small covered entities (those with less than 10 employees and independent contractors, less than $5 million in gross annual revenue in each of the last 3 years, or those with less than $10 million in year-end total assets - including affiliate assets - calculated according to GAAP).
The proposed revisions also call for a staggered implementation timeframe. There will be a general 180 day period from the March 1st effective date to allow for covered entity compliance. Beyond that, there are additional periods of either 12, 18, or 24 months for compliance with certain specified provisions of the revised regulation.