DFS Announces “Updated” Cybersecurity Regulation

Patterson Belknap Webb & Tyler LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Yesterday, the New York Department of Financial Services (DFS) announced an “updated” cybersecurity regulation that will go into effect on March 1, 2017.  The updated regulation is, in many respects, less stringent than the DFS’s original proposal

As a reminder, in September of this year, the DFS announced a far-reaching and unprecedented cybersecurity regulation that covers any company operating with a “license” or “similar authorization” under New York’s “banking law, the insurance law or the financial services law.”  The original proposed regulation faced substantial industry backlash, with covered institutions claiming that the regulation was inflexible and pressuring the DFS to delay implementation. 

As shown by its responses to industry comments, the DFS took those concerns seriously.  In the forthcoming weeks, we will discuss in detail the differences between the original and updated regulation.  But a redline of the original and proposed regulation shows that those changes are not cosmetic. 

For example, companies will now have an eighteen month “transitional period” to develop an audit trail system, to create written procedures to ensure the security of their applications, and to establish policies for the secure disposal of nonpublic data.  Covered entities will also have two years to develop and implement written policies and procedures for their third-party vendors.

Moreover, many of the DFS’s proposed technical requirements are no longer mandatory.  The original regulation required companies, within five years, to encrypt all nonpublic information.  Now, a company may secure nonpublic information with “effective alternative compensating controls” for an indeterminate time, so long as the company determines that encryption is “infeasible.”

The mandatory reporting requirement has also been modified.  Previously, companies were required to inform the DFS of any cybersecurity event that involved the “actual or potential unauthorized tampering with, or access to or use of” nonpublic information.  Now, notice is required only for events that “have a reasonable likelihood of materially harming any material part of the normal operation(s) of” the company.

These are just a sample of the DFS’s updates to the regulation.  The updated regulation is subject to a 30-day comment period.

Stay tuned for a more detailed digest of the DFS revisions.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Patterson Belknap Webb & Tyler LLP | Attorney Advertising

Written by:

Patterson Belknap Webb & Tyler LLP
Patterson Belknap Webb & Tyler LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Patterson Belknap Webb & Tyler LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide