DFS’ Proposed Cybersecurity Regulation Edges Closer to Becoming Final Following Public Hearing

Rosemary McKenna
Jackson Lewis P.C.
Contact
LinkedIn
Facebook
X
Send
Embed

The New York State Assembly Committee on Banks held a public hearing on December 19, 2016, receiving testimony about both the benefits and challenges of a recently proposed regulation to address the growing threat posed by cyber-attacks on banks, insurance companies and most other entities which are regulated by the Department of Financial Services (DFS). The proposed regulation was initially published by DFS on September 28, 2016 and since that time has been subject to a public comment period before final issuance.

The proposed regulation, if adopted, is likely to require most DFS-regulated organizations to establish a cybersecurity program, including the adoption of policies and procedures, the reporting to DFS of all successful and unsuccessful cybersecurity attacks, the appointment of a chief information security officer to oversee cybersecurity plans, and the inclusion of certain required provisions in third-party service provider agreements. We have outlined the proposed regulation in more detail here.

Representatives from community banking and other relatively small DFS-regulated entities testified during the hearing that the proposed regulation is a “one size fits all” solution that are too onerous for small to mid-sized entities, fail to coordinate with existing federal cyber requirements, and seek to focus on a national security threat that should be addressed exclusively at the federal level. They also noted that the reporting requirements under the proposed regulation are particularly onerous in that reporting would be required for successful and unsuccessful cybersecurity attacks, which will further contribute to additional regulatory compliance costs that will be passed on to the consumer, resulting in higher consumer prices and possibly reduced consumer choice in some markets. Other witnesses claimed the proposed regulation does not go far enough, calling for more comprehensive and prescriptive requirements.  DFS did not testify at the hearing.

Meanwhile, DFS has indicated informally that it intends to publish a revised regulation in the coming weeks, and that, in so proceeding, will among other things extend the proposed regulation’s January 1, 2017 effective date. DFS has not signaled — either informally or formally – what other changes it intends to make the in the revised regulation.   It is possible the testimony from today’s public hearing could influence some of the changes.

We will report on this blog once DFS publishes its revised regulation. We continue to urge DFS-regulated companies to carefully review their current programs, policies, and procedures to understand their current cyber footing and evaluate what action, if any, they will need to take once the revised regulation is adopted.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Jackson Lewis P.C. | Attorney Advertising

Written by:

Jackson Lewis P.C.
Jackson Lewis P.C.
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Jackson Lewis P.C. on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide