The New York Department of Financial Services (DFS) rang in the New Year by releasing changes to the agency's proposed cybersecurity regulations.

What happened

On December 28, 2016, as the result of extensive feedback from stakeholders, the DFS issued a modified proposal for its first-in-the-nation cybersecurity regulations for banks, insurance companies, and other financial services institutions under its jurisdiction. The updated proposed regulations, titled "Cybersecurity Requirements for Financial Services Companies," is now set to take effect on March 1, 2017 rather than the previously targeted effective date of January 1, 2017.

In September, the DFS had proposed the regulations to address the continuing threats posed by cybercriminals.

The regulations required covered entities to assess their specific risk profile and design a program that is "designed to ensure the confidentiality, integrity and availability" of the entity's information systems and "nonpublic information," including any business-related information, information provided to a covered entity, healthcare information, and personally identifiable information.

Also mandated: a cybersecurity policy covering topics ranging from business continuity and disaster recovery planning to physical security and environmental controls and the designation of a Chief Information Security Officer (CISO), with that officer or another member of senior management obligated to file an annual certification with the DFS that confirms compliance with the regulation.

The regulation was due to take effect on January 1, 2017. But after receiving more than 150 comments on the initial proposal and listening to testimony at a hearing before the State Assembly (where witnesses expressed concern about reporting requirements, the cost of compliance, and the one-size-fits-all nature of the regulation), the DFS pushed back the effective date with staggered implementation of compliance requirements.

The regulator also published a modified proposal.

Changes to the initial proposal included the addition of a definition of a "Third-Party Service Provider" and a modification to the definition of "Nonpublic Information" to achieve consistency with the definition of "private information" found in New York's existing data breach notification law.

The regulator explained that several items included in the required cybersecurity policy (such as encryption requirements and the use of multi-factor authentication for employees accessing internal databases) were not black-and-white mandates, but should be based on the institution's risk assessment. The DFS noted that the risk assessment could not be used to justify a cost-benefit analysis of "acceptable losses" to cybersecurity risks, however. The frequency of risk assessment was also tweaked to have them performed periodically rather than annually.

The modified proposal also features clarifications about the CISO position. The officer does not have to be a new hire or an individual dedicated solely to CISO activities, DFS said, and can be employed by an affiliate of the covered entity or by a service provider.

The covered entity's obligation to maintain audit trails is now limited to cybersecurity events "that have a reasonable likelihood of materially harming any material part of the normal operations," and DFS amended the regulation to explain that the requirements placed on third-party service providers should be based on the covered entity's risk assessment, not a separate audit of the third party.

The regulator also attempted to establish limited exemptions. For example, the regulation would not cover "small" covered entities—defined as those with less than 10 employees and independent contractors, less than $5 million in gross annual revenue in each of the last three years, or less than $10 million in year-end total assets—as well as covered entities that do not "control, generate, or receive nonpublic information."

"New Yorkers must be confident that the banks, insurance companies and other financial institutions that they rely on are securely handling and establishing necessary protocols that ensure the security and privacy of their sensitive personal information," DFS Superintendent Maria T. Vullo said in a statement. "This updated proposal allows an appropriate period of time for regulated entities to review the rule before it becomes final and make certain that their systems can effectively and efficiently meet the risks associated with cyber threats."

Stakeholders and interested parties have 30 days to comment on the modified proposal. The regulations will then become final and take effect March 1, 2017. A 180-day period to achieve compliance will occur, with additional periods of 12, 18, or 24 months for compliance attached to specific provisions of the regulation.

To read the revised DFS regulation, click here.

Why it matters

The revised DFS regulation reflects the need for flexibility by relaxing some of the more stringent requirements found in the initial proposal, allowing covered entities to adopt a program and policy more attuned to their specific size and risk category. The adjustments remind observers that cybersecurity regulation in the U.S. remains an industry-specific and predominantly self-regulated enterprise. That being said, many covered entities will still need to take significant steps to comply with the new regulation. Cybersecurity should be a top-of-mind concern for financial institutions, as evidenced not only by the forthcoming DFS regulation but the efforts of other regulators as well, such as the $14.4 million in fines recently issued by the Financial Industry Regulatory Authority for data security failures (see story above for more details).