NY DFS’s Revised Cybersecurity Rules Are More Flexible, Still Mandatory For Banks And Financial Institutions

King & Spalding

On December 28, 2016, the New York Department of Financial Services (“DFS”) issued a revised version of its proposed cybersecurity rule for banks, insurers, money service businesses, and regulated virtual currency operators who are licensed under New York’s banking, insurance, or financial services laws.  This proposed rule would require financial entities to establish and maintain specific cybersecurity safeguards and procedures.

The original proposed rule, issued on September 13, 2016, was criticized by some organizations for various reasons.  The proposed rule has been revised in several ways in response to industry comments.  For example, financial institutions must now report only those cybersecurity events that (1) are required to be reported to any government or supervisory body, and (2) have a reasonable likelihood of materially harming the entity’s normal operations.  The original proposed rule required entities to report any cybersecurity event to DFS within 72 hours, even if it was an unsuccessful attempt.  The original proposed rule also required that regulated entities encrypt all sensitive data, including both data in transit and data at rest.  The revised rule permits entities to secure sensitive data at rest without encryption using alternative compensating controls, if encryption is infeasible.  Third-party oversight requirements have also been slightly relaxed in accordance with risks presented. 

The revised proposed rule is subject to a 30-day comment period, which commenced on December 28, 2016.  The rule is effective on March 1, 2017, with transitional periods ranging from six months to two years for various portions of the rule.

Written by:

King & Spalding

King & Spalding on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.