The New York Department of Financial Services (NYDFS) announced today a revised regulation that will require all institutions subject to NYDFS supervision to establish and maintain a cybersecurity program meeting "certain regulatory minimum standards." All financial institutions under NYDFS jurisdiction—including banks, state-licensed lenders, mortgage industry companies, insurance companies, and money services businesses—should carefully assess whether existing security measures will need to be enhanced and what additional steps may need to be taken to satisfy the requirements in the proposed rules. Third party service providers to these institutions should also prepare for compliance requirements that will likely be imposed downstream from these covered entities.

The revised regulation will become final and effective on March 1, 2017 (a delay of two months from the originally proposed January 1, 2017, effective date). The first annual certification will now be due by February 15, 2018. The revised regulation also establishes tiered transition periods for covered entities to comply with the new requirements:

• Six months: All provisions not specified in the following transition periods.

• One year: CISO reporting to the board of directors (500.04(b)), penetration testing and vulnerability assessments (500.05), risk assessments (500.09), multi-factor authentication (500.12), and cybersecurity awareness training (500.14(a)(2)).

• 18 months: Audit trails (500.06), application security (500.08), data retention (500.13), policies and procedures to monitor the activity of authorized users (500.14(a)(1)), and encryption (500.15).

• Two years: Third party service provider security policy (500.11).

Many of the requirements set forth in the initial version of the proposed regulation, released on September 13, 2016 (summarized in our prior alert available here), remain unchanged. NYDFS made some significant concessions, however, in response to more than 150 public comments that were submitted. NYDFS released an "Assessment of Public Comments" with the revised regulation, providing some insight into the changes made in response to the public comments. Some of the most pertinent revisions include:

• Small business exemption: Creation of a "limited" small business exemption for covered entities that have less than 10 employees, $5 million in gross annual revenue, or $10 million in year-end total assets.

• Risk-based assessments: Clarification that the revised regulation was intended to be linked to a covered entity's risk assessment, such as the encryption and multi-factor authentication mandates. However, NYDFS cautions that a risk assessment should not be used to justify a cost-benefit analysis of acceptable losses related to cybersecurity risks. The term "risk assessment" has been added as a new defined term in the revised regulation. The revised regulation requires that risk assessments be performed "periodically," instead of annually (as originally proposed).

• Audit trails: Reduction in the level of prescriptive requirements related to maintaining audit trails, including reducing the covered period from six to five years and focusing on material cybersecurity events.

• Nonpublic information: Significant narrowing of the definition to conform more closely to the definition in the New York breach notification statute. The revised regulation provides an exemption for any covered entity that does not directly or indirectly control, own, access, generate, receive, or possess any nonpublic information.

• Chief Information Security Officer (CISO): Clarification that so long as a covered entity has designated a qualified individual to perform the functions of a CISO, no individual is required to have this specific title or be dedicated exclusively to CISO activities. The designated individual now must provide a written, more narrowly focused, annual (not bi-annual) cybersecurity report to the board of directors or governing body.

• Third party service providers: Amendment of the proposed regulation to clarify that any requirements on third party service providers should be based on the covered entity's risk assessment. Thus, covered entities will not be required to audit the systems of all third party service providers. The language requiring certain "preferred provisions" to be added to vendor contracts has been removed and replaced with a requirement to establish relevant guidelines and/or contractual protections. The term "third party service provider" has been added as a new defined term in the revised regulation.

• Affiliates: Authorization of covered entities to satisfy the requirements of the revised regulation if covered by the cybersecurity program of an affiliate, including the affiliate's CISO.

• Cybersecurity event reporting: Retention of the 72-hour reporting timeframe for notifying NYDFS of a "cybersecurity event." Addition of a "materiality" qualifier to those provisions related to responding to and reporting of cybersecurity events. The revised notification requirement applies only to:

Importantly, the revised regulation includes new language addressing the confidentiality of any reporting submitted to NYDFS about cybersecurity events.

Public comments may be filed on the revised regulation for 30 days from today's publication date. NYDFS will consider as part of its final review any new comments that were not previously raised during the original comment period, which ended on November 14, 2016. As NYDFS has proven receptive to making changes based on public comments, financial institutions should carefully consider whether to file comments during the next 30 days.