New York Delays Cybersecurity Rules for Banks/Insurers Until March 1, 2017

Cynthia Larose, Natalie Prescott
Mintz - Privacy & Cybersecurity Viewpoints
Contact
LinkedIn
Facebook
X
Send
Embed

The New York State Department of Financial Services has announced — much to the relief of the multitude of financial services companies and insurers regulated by DFS — that it will revamp its recently proposed cybersecurity rule.  After receiving more than 150 letters and taking into account recent public comments, the NYDFS has decided to revise its initial proposed rule to address public comments and concerns and to scale back some of the proposed standards.

As we previously wrote, the NYDFS had announced its original proposed rule in September.  The initial proposed rule, which was due to go into effect on January 1, 2017, has immediately received criticism from financial institutions.  The industry was concerned that the rule failed to distinguish between large and small financial institutions, and that it may further conflict with future federal regulations on cybersecurity.  In response to recent public comments, the department has agreed to ease certain requirements for encrypting data and breach notification, to name a few.   In particular, encryption requirements have been stepped back to provide that in the event encryption is found to be “infeasible” for some sensitive data, entities can provide an alternate method of security for the data, approved by the company’s Chief Information Security Officer.

Other notable revisions include:  A limited small business exemption, risk-based assessments, clarification with respect to the role and function of the Chief Information Security Officer, less strict audit trails requirement, and what triggers the 72-hour reporting period to notify the department of a cybersecurity event.  The full text of the proposed rule can be found here.

The rule will again be subject to a 30-day comment period.  The department will focus its final review on new comments not raised previously.

Once implemented, this will be the first rule of its kind in the United States.  All financial institutions under the jurisdiction of NYDFS—including banks, lenders, insurers, mortgage companies, and money services businesses—should carefully evaluate the requirements and consider submitting public comments.  Once the rule goes into effect on March 1, 2017, financial institutions will need to ensure compliance within 6 months to 2 years (depending on the applicable tier).

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Mintz - Privacy & Cybersecurity Viewpoints | Attorney Advertising

Written by:

Mintz - Privacy & Cybersecurity Viewpoints
Mintz - Privacy & Cybersecurity Viewpoints
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Mintz - Privacy & Cybersecurity Viewpoints on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide