Comments submitted on the proposed regulations criticize the lack of a risk-based approach, overbroad definitions, potential extraterritorial implications, an excessive breach notification threshold and a daunting annual certification requirement.

Dozens of financial institutions and trade associations have lodged emphatic objections with the New York State Department of Financial Services (NYSDFS) in response to the Department’s September 28, 2016 Notice of Proposed Rulemaking entitled “Cybersecurity Requirements for Financial Services Companies” (the Proposed Rules). As published for comment in the New York State Register, the Proposed Rules would impose expansive new cybersecurity requirements on entities under NYSDFS’ jurisdiction (and, through contract, would likely also impact service providers that process or store non-public information on their behalf). The Proposed Rules are considerably more prescriptive than cybersecurity guidance and standards promulgated by other financial regulators and, if adopted in their current form, would significantly ratchet up cybersecurity compliance obligations for affected institutions.