Today, the New York Department of Financial Services (DFS) announced an “updated” cybersecurity regulation that will go into effect on March 1, 2017. The updated regulation is, in many respects, less stringent than the DFS’s original proposal.
As a reminder, in September of this year, the DFS announced a far-reaching and unprecedented cybersecurity regulation that covers any company operating with a “license” or “similar authorization” under New York’s “banking law, the insurance law or the financial services law.” The original proposed regulation faced substantial industry backlash, with covered institutions claiming that the regulation was inflexible and pressuring the DFS to delay implementation.
As shown by its responses to industry comments, the DFS took those concerns seriously. In the forthcoming weeks, we will discuss in detail the differences between the original and updated regulation. But a redline of the original and proposed regulation shows that those changes are not cosmetic.
For example, companies will now have an eighteen month “transitional period” to develop an audit trail system, to create written procedures to ensure the security of their applications, and to establish policies for the secure disposal of nonpublic data. Covered entities will also have two years to develop and implement written policies and procedures for their third-party vendors.
Moreover, many of the DFS’s proposed technical requirements are no longer mandatory. The original regulation required companies, within five years, to encrypt all nonpublic information. Now, a company may secure nonpublic information with “effective alternative compensating controls” for an indeterminate time, so long as the company determines that encryption is “infeasible.”
The mandatory reporting requirement has also been modified. Previously, companies were required to inform the DFS of any cybersecurity event that involved the “actual or potential unauthorized tampering with, or access to or use of” nonpublic information. Now, notice is required only for events that “have a reasonable likelihood of materially harming any material part of the normal operation(s) of” the company.
These are just a sample of the DFS’s updates to the regulation. The updated regulation is subject to a 30-day comment period.
Stay tuned for a more detailed digest of the DFS revisions.