On December 28, 2016, the New York Department of Financial Services (“DFS”) issued a revised version of its proposed cybersecurity rule for banks, insurers, money service businesses, and regulated virtual currency operators who are licensed under New York’s banking, insurance, or financial services laws. This proposed rule would require financial entities to establish and maintain specific cybersecurity safeguards and procedures.
The original proposed rule, issued on September 13, 2016, was criticized by some organizations for various reasons. The proposed rule has been revised in several ways in response to industry comments. For example, financial institutions must now report only those cybersecurity events that (1) are required to be reported to any government or supervisory body, and (2) have a reasonable likelihood of materially harming the entity’s normal operations. The original proposed rule required entities to report any cybersecurity event to DFS within 72 hours, even if it was an unsuccessful attempt. The original proposed rule also required that regulated entities encrypt all sensitive data, including both data in transit and data at rest. The revised rule permits entities to secure sensitive data at rest without encryption using alternative compensating controls, if encryption is infeasible. Third-party oversight requirements have also been slightly relaxed in accordance with risks presented.
The revised proposed rule is subject to a 30-day comment period, which commenced on December 28, 2016. The rule is effective on March 1, 2017, with transitional periods ranging from six months to two years for various portions of the rule.