The closely watched New York State Department of Financial Services (NYDFS) cybersecurity standards for covered financial institutions are now final and take effect March 1, 2017 in less than a week. The final rule largely tracks the second proposed rule issued in December 2016, which we discussed in our client alert. As a result, the final rule is narrower and less prescriptive than the original proposal, but will still present challenges, especially for financial institutions that do not have mature cybersecurity processes and controls in place.

It was not clear what the steps the NYDFS would take following its December 2016 proposal (e.g., whether the NYDFS would issue another proposal for comment). The announcement last week by Governor Andrew Cuomo and the NYDFS affirms that NYDFS is moving full steam ahead, with limited substantive revisions and without providing covered entities much time to comply. Critically, the timing of the final rule is unchanged; its effective date is March 1, 2017, with the first annual certification of compliance due February 15, 2018. The phased compliance periods for specific requirements are also unchanged as well. The final rule generally will apply to all entities subject to the authority of NYDFS under New York banking, insurance and financial services law, including commercial banks, foreign banks with New York State-licensed offices, mortgage brokers and servicers, small-loan lenders and money transmitters doing business in New York.