We previously reported on the New York Department of Financial Services’ proposed cybersecurity regulations. During the public comment period, the DFS received over 150 comments. In response, the DFS announced on December 28, 2016, that it had revised the proposed regulations and delayed their effective date two months – until March 1, 2017, with required compliance 180 days thereafter (August 28, 2017).

Many small and medium-sized companies were particularly active in expressing their objection to the “one size fits all” approach of the original proposed regulations. DFS attempted to address these concerns in the revised proposed regulations by making an organization’s design for its cybersecurity program dependent on the outcome of that organization’s risk assessment.  A risk assessment would be required periodically, as opposed to annually, as originally proposed by the DFS. In the revised proposed regulations, an organization’s risk assessment drives many additional aspects of the cybersecurity program, including audit trails, access privileges, and multi-factor authentication. Additionally, whether an entity is exempt is now defined by the number of employees and independent contractors (fewer than 10), rather than the number of customers, in addition to retaining the original proposal’s gross revenue and total asset exemptions. While small and medium-sized companies can employ the use of a third party service provider for some assistance (i.e., being the company’s designated CISO or providing its cybersecurity personnel), the burden of overseeing these providers and compliance with the regulation’s requirements will still largely fall to the company’s compliance and IT personnel.

In the revised proposed regulations, the definition of “nonpublic information” is also narrower than originally proposed.  The revised definition of “nonpublic information” is more in line with the relevant definitions in other breach notification statutes. The encryption requirements for nonpublic information are also scaled back in the revised proposed regulations. No longer are companies required to encrypt all nonpublic information in all circumstances to protect information at rest or in transit. Instead, the proposed regulation requires the implementation of “compensating controls,” which may (but not necessarily) include encryption depending on the risk assessment. 

Additional key revisions include:

• Notice Requirements: Notice of a cybersecurity event was modified to those events which the entity must report to any government body or self-regulatory or supervisory body, and those events that have a reasonable likelihood of materially harming any material part of the normal operations of the entity. This revision removes the original proposal’s requirement to report any potential unauthorized tampering with or access to or use of nonpublic information. Notice must still be made to the DFS within 72 hours or less.
• Clarity on Third Party Service Provider(s): The original proposal left this phrase undefined, where the revised proposal defines it as a person that: (i) is not an affiliate of the entity; (ii) provides services to the entity; and (iii) maintains, processes or otherwise is permitted access to nonpublic information through its provision of services to the entity.
• CISO: Cybersecurity reports are to be submitted at least annually, as opposed to the original proposal which required at least bi-annual reporting.
• Confidentiality: Information provided to the DFS under the revised proposed regulation is exempt from disclosure.

The final comment period on the revised proposed regulation ends January 27, 2017.