On December 28, 2016, the New York State Department of Financial Services (“DFS“) announced that it has updated its proposed first‑in‑the‑nation cybersecurity regulation. The proposed regulation, which will be effective March 1, 2017, will require banks, insurance companies and other financial services institutions regulated by DFS to adopt a cybersecurity program by assessing its specific risk profile and designing a program to address these risks accordingly.
According to the DFS, “This updated proposal allows an appropriate period of time for regulated entities to review the rule before it becomes final and make certain that their systems can effectively and efficiently meet the risks associated with cyber threats.”
Among the changes made, the definition of “Exemptions” has been expanded to provide:
that “Covered Entities” that have less than the specified number of employees, gross annual revenue or year‑end total assets shall be exempt from the requirements of enumerated sections;
an exemption for an employee, agent, representative or designee of a Covered Entity, who is itself a Covered Entity;
an exemption from enumerated sections for a Covered Entity that does not directly or indirectly operate, maintain, utilize or control any “Information Systems” and that does not, and is not required to, directly or indirectly control, own, access, generate, receive or possess “Nonpublic Information“;
a requirement that Covered Entities that qualify for an exemption file a “Notice of Exemption”; and that a Covered Entity that ceases to qualify for an exemption must comply with all applicable requirements of the proposed rule.
The updated proposed regulation will be finalized following a 30-day notice and public comment period. Press Release. DFS Assessment of Public Comments. DFS Summary. Proposed Regulation (As Revised).