New York’s “First in the Nation” Financial-Sector Cybersecurity Regulations Put on Hold.

Foley Hoag LLP - Security, Privacy and the Law

In late December, New York’s Financial Services Superintendent Maria T. Vullo announced that the New York’s Department of Financial Services’ (“DFS”) new cybersecurity regulations would not go into effect on January 1, 2017 as initially planned.  These “first-in-the-nation” cybersecurity regulations were designed to help protect consumers and the financial system from the increasingly serious threat of cyberattacks.  However, the regulations faced opposition from the financial services companies and insurers that would have been subject to them.

The proposed regulations would have required insurers, banks and other financial institutions to develop detailed, specific plans for data breaches, appoint a Chief Information Security Officer (“CSIO”), and increase customer data monitoring by their vendors.  More specifically, the proposed regulations would have required regulated entities to adopt a written cybersecurity policy that addressed, at a minimum, the following criteria: 1) information security; 2) data governance and classification; 3) access controls and identity management; 4) business continuity and disaster recovery planning and resources; 5) capacity and performance planning; 6) systems operations and availability concerns; 7) systems and network security; 8) systems and network monitoring; 9) systems and application development and quality assurance; 10) physical security and environmental controls; 11) customer data privacy; 12) vendor and third-party service provider management; 13) risk assessment; and 14) incident response.  The proposed regulations also would have required regulated entities to conduct penetration testing and vulnerability assessments of their own systems, to implement multi-factor authentication for individuals accessing internal systems who have privileged access or to support functions including remote access, and to encrypt all non-public information held or transmitted.

In response to critical public comments on the proposed regulations, DFS agreed to update the proposed rule in order ease certain requirements and give regulated entities a longer period of time to review the rule before it became final.  In particular, the updated proposed regulations relax the requirements for encryption where encryption of certain non-public data is infeasible, contain a small business exemption (exempting companies with fewer than 10 employees, less than $5M in gross annual revenue, or less than $10M in year-end total assets), clarify the role of the CSIO, clarify the triggers for the 72 hour reporting obligation for a “Cybersecurity Event,” and slightly modified the criteria required to be addressed in a company’s written Cybersecurity policy.

The updated proposed regulation was submitted to the NY State Register on December 15, 2016, published on December 28, 2016 and is currently within the 30-day notice and comment period.  It is to take effect on March 1, 2017 with varying transitional periods for compliance with different provisions of the regulation, the shortest being 180 days.  Updates to follow.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Foley Hoag LLP - Security, Privacy and the Law | Attorney Advertising

Written by:

Foley Hoag LLP - Security, Privacy and the Law

Foley Hoag LLP - Security, Privacy and the Law on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.