New York State Department of Financial Services Modifies Proposed Cybersecurity Regulations and Pushes Implementation Date Back to March 1, 2017

by Kramer Levin Naftalis & Frankel LLP

Kramer Levin Naftalis & Frankel LLP

On Dec. 28, 2016, the New York State Department of Financial Services (NYDFS) published a revised version of its “Cybersecurity Requirements for Financial Services Companies” (the “Regulations”). The revised Regulations preserve the intent and core requirements of the original proposal, issued Sept. 13, 2016, while incorporating certain changes intended to ease compliance burdens raised by some regulated entities during the comment period. These proposed modifications are aimed at enhancing the ability of regulated entities to tailor cybersecurity programs and policies to counter their own particularized risks and threats.

Changes in the Revised Requirements

While the revised Regulations retain most of the content set forth in the proposed rules promulgated last summer, which were summarized in a prior Kramer Levin Alert, there are important modifications of which regulated entities should be aware. Following criticisms that the original rules imposed strict, one-size-fits-all requirements on the variety of businesses that qualify as Covered Entities, some of the Regulations have been relaxed or made more nuanced. Significantly, many of the steps that Covered Entities were previously required to take are now tied to “the Covered Entity’s Risk Assessment.” These changes may afford Covered Entities additional flexibility in implementing the Regulations in a manner appropriate to their business operations and the particular cybersecurity threats presented.

The following list summarizes some of the most significant changes to the Regulations:

  • Particularized Risk Assessment: As noted, certain mandated programs and policies are now directly tied to “the Covered Entity’s Risk Assessment.” (500.02(b); 500.03) Covered Entities must conduct a “periodic” Risk Assessment, not necessarily on an annual basis, but as necessary in order to “address changes to the Covered Entity’s Information Systems, Nonpublic Information or business operations” and allow for “revision of controls to respond to technological developments and evolving threats.” Consistent with the more prominent position that the Risk Assessment occupies in the revised Regulations, the Risk Assessment must be robust enough to “inform the design of the cybersecurity program,” and the Regulations outline specific criteria that need to be met. (500.09)
  • Nonpublic Information: The definition of Nonpublic Information has been clarified to include only identifying information with one or more of the following: (i) Social security number; (ii) driver’s license number or nondriver card number; (iii) account numbers, including credit or debit card numbers; (iv) security codes, including passwords to financial accounts; or (v) biometrics. (500.01(g)(2))
  • Third Party Service Provider (TPSP): A definition has been added to the Regulations, clarifying that in order to qualify as a covered TPSP, the provider must “maintain, process, or otherwise [be] permitted access to Nonpublic Information” through its provision of services. (500.01(n))
  • Chief Information Security Officer (CISO): Covered Entities that do not qualify for one of the exemptions remain obligated to designate a qualified individual to serve as a CISO, charged with “overseeing and implementing the Covered Entity’s cybersecurity program and enforcing its cybersecurity policy.” The CISO may be employed by the Covered Entity, an affiliate or a TPSP. The CISO must report to the Covered Entity’s board of directors “or an equivalent governing body” on the cybersecurity program and “material” cybersecurity risks on at least an annual basis. (500.04)
  • Penetration Testing: Requirements regarding penetration testing and vulnerability assessments have been honed. Unlike the previously proposed Regulations, the amended Regulations provide that the monitoring and testing “shall include continuous monitoring or periodic penetration testing and vulnerability assessments.” Where effective continuous monitoring is not feasible, certain tests should be conducted annually or biannually. (500.05)
  • Audit Trail: The original rule required Covered Entities to maintain an audit trail that allowed “for the complete and accurate reconstruction of all financial transactions and accounting necessary to enable the Covered Entity to detect and respond to a Cybersecurity Event.” The amendment relaxes this requirement by allowing companies to implement systems “designed to reconstruct material financial transactions” and that “include audit trails designed to detect and respond to Cybersecurity Events that have a reasonable likelihood of materially harming any material part of the normal operations of the Covered Entity.” The audit trail systems are also to be implemented “to the extent applicable” and based on the Covered Entity’s Risk Assessment. The retention period for related data has been reduced from six to five years. (500.06)
  • TPSP: While the requirements concerning TPSPs remain largely intact, the revised Regulations now direct Covered Entities to “include relevant guidelines for due diligence and/or contractual protections relating to Third Party Service Providers,” in its policies, instead of requiring “preferred provisions” to be “included in contracts with third party service providers.” The “relevant guidelines” include consideration of the TPSP’s policies and procedures regarding encryption and access controls (including multifactor authentication). In addition, they require notice be provided to the Covered Entity in case of a Cybersecurity Event “directly impacting … Nonpublic Information and Information Systems,” as well as “representations and warranties addressing the Third Party Service Provider’s cybersecurity policies and procedures that relate to the security of the Covered Entity’s Information Systems or Nonpublic Information.” (500.11)
  • Multi-Factor Authentication: The mandate that Covered Entities use multi-factor authentication or an equivalent level of protection to guard against unauthorized access to Nonpublic Information or Information Systems is now tethered to circumstances in which internal networks are accessed externally, though multi-factor authentication may be appropriate in other contexts, depending on the Covered Entity’s Risk Assessment. (500.12)
  • Data Retention/Destruction: The Regulations continue to require Covered Entities to limit the retention of Nonpublic Information. They must have “policies and procedures in place for the secure disposal on a periodic basis” of Nonpublic Information “no longer necessary for business operations or for legitimate business purposes,” unless its preservation is required by law or other regulation or if targeted disposal is not reasonably feasible. (500.13)
  • Training and Monitoring: Covered Entities must provide “regular cybersecurity awareness training” for all personnel that reflects the vulnerabilities identified in the Covered Entity’s Risk Assessment. (500.14)
  • Encryption: Rather than requiring Covered Entities to “encrypt all Nonpublic Information,” the revised Regulations require that Covered Entities “implement controls, including encryption, to protect Nonpublic Information both in transit and at rest.” If encryption is not feasible for the Covered Entity (the cost and burden of encryption — in transfer and at rest — were among the key concerns raised during the comment period), other “effective alternative compensating controls” over Nonpublic Information are permissible, provided that they are reviewed and approved by the Covered Entity’s CISO at least annually. (500.15)
  • Incident Response Plan (IRP): The Regulations concerning the IRP remain mostly unchanged, though they now mandate that the IRP need only address those Cybersecurity Events that may “materially” affect the “confidentiality, integrity or availability of the Covered Entity’s Information Systems or the continuing functionality of any aspect of the Covered Entity’s business operations.” (500.16)
  • Notices: In addition to the annual Certification of Compliance that must be submitted to the NYDFS Superintendent (now due on Feb. 15 of each year), Covered Entities must notify the NYDFS Superintendent no later than 72 hours after it has been determined that a Cybersecurity Event has occurred that either (i) must be reported to any other governmental, regulatory or supervisory body or (ii) has a “reasonable likelihood of materially harming any material part of the normal operations of the Covered Entity.” (500.17)
  • Confidentiality: The Regulations now include a confidentiality provision that indicates information provided by Covered Entities under the Regulations is subject to exemptions from disclosure under state and federal laws. (500.18)
  • Exemptions: The Regulations include modified exemptions that may remove some companies from obligations to comply, but the exemptions remain fairly limited. A notable revision to the exemptions is that small businesses with fewer than 10 employees or independent contractors (instead of Covered Entities with fewer than 1,000 customers per year) are now exempt from most provisions (alongside those with less than $10,000,000 in assets or less than $5,000,000 in gross annual revenue), though such Covered Entities must still maintain a Cybersecurity Program and Cybersecurity Policy. The Regulations also exempt Covered Entities that do not “directly or indirectly operate, maintain, utilize or control any Information Systems,” and that do not “directly or indirectly control, own, access, generate, receive or possess Nonpublic Information.” Covered Entities that qualify for exemptions must file a Notice of Exemption with the Superintendent. (500.19)
  • Effective Date: The effective date of the Regulations has been pushed back to March 1, 2017. Covered Entities must supply their first annual Certification of Compliance to NYDFS by Feb. 15, 2018. (500.21)
  • Transitional Periods: The revised Regulations provide not only the original 180-day transition period, but also grant longer transitional periods for implementation of specific parts of the Regulations. (500.22)

A More Flexible but Still Demanding Regulatory Framework

With the Dec. 28 revisions, the NYDFS has modified the compliance burden imposed by the Regulations by introducing more flexible language into some of the requirements and directing Covered Entities to calibrate the parameters of their cybersecurity programs to the results of a Risk Assessment. Nonetheless, the core requirements contained in the original version of the Regulations have been preserved. As a result, banks, insurance companies and financial services companies regulated under the corresponding New York laws that do not qualify for the limited exemptions must assess their cybersecurity vulnerabilities on an ongoing basis, take proactive measures to address them and certify that they have done so to the NYDFS.

Following the end of a 30-day notice and public comment period on Jan. 27, 2017, the revised Regulations are presently scheduled to become effective March 1, 2017.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Kramer Levin Naftalis & Frankel LLP | Attorney Advertising

Written by:

Kramer Levin Naftalis & Frankel LLP

Kramer Levin Naftalis & Frankel LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.