The holidays provided an extra gift for those entities licensed or registered under New York’s banking, insurance or financial services laws. The New York State Department of Financial Services (DFS) has revised its proposed cybersecurity regulation, which was published in the New York State Register on December 28, 2016.
The revised regulation was in response to the immense backlash the original regulation received. Many believed the original regulation was overly broad, imposed too many technical requirements, had a “one-sizefits-all” scheme that simply was not workable across the board, used terms that were overly broad and/or ambiguous, and imposed great costs on those needing to comply with, and report under, the regulation.
There were over 150 written comments and extensive testimony before the New York State Assembly Standing Committee on Banks from various entities. DFS considered the comments and testimony, and the revised regulation was then published on December 28, 2016.
Some key points concerning the revised regulation:
There is still time to comment. Covered entities have another 30-day period to submit comments about the revised proposed regulation before it becomes effective on March 1, 2017.
Timelines have been pushed out. The revised proposed regulation will take effect March 1, 2017 (instead of January 1, 2017). Covered entities will have an extra month to report compliance with the regulation, i.e., they will now have until February 15, 2018 to report compliance. These entities, however, will have 18 months to develop audit trail systems and write certain procedures and policies; two years to develop procedures and policies for vendors; and one year to accomplish a variety of other reporting and assessment requirements.
Technical requirements have been softened. The revised proposed regulation no longer requires encryption of all nonpublic data if encryption is “infeasible.” The revisions allow the covered entities to have more of a voice in what a cybersecurity program should look like and what would work best for their business – instead of a specific schedule for assessments and compulsory technical standards. It allows covered entities to engage in their own risk assessment to determine what is reasonable.
There is still a rapid notice requirement. The 72-hour notice requirement is still present, but events that trigger notice are more closely aligned to current notification laws across the country and in federal and state reporting requirements.
The revised regulation is still broad, particularly in how it defines a “Cybersecurity Event” and “Information Systems.”
DFS is listening, so covered entities should take advantage of the 30-day comment period. In addition, covered entities should evaluate whether their current cybersecurity program meets the requirements of the revised proposed regulation – because on February 15, 2018, they will need to certify compliance with the regulation.