New York Delays Cybersecurity Rules for Banks/Insurers Until March 1, 2017
Thursday, January 5, 2017
FinTech, New York Delays Cybersecurity Rules for Banks/Insurers Until March 1, 2017
Print Mail Download i

The New York State Department of Financial Services has announced — much to the relief of the multitude of financial services companies and insurers regulated by DFS — that it will revamp its recently proposed cybersecurity rule. After receiving more than 150 letters and taking into account recent public comments, the NYDFS has decided to revise its initial proposed rule to address public comments and concerns and to scale back some of the proposed standards.

As we previously wrote, the NYDFS had announced its original proposed rule in September. The initial proposed rule, which was due to go into effect on January 1, 2017, has immediately received criticism from financial institutions. The industry was concerned that the rule failed to distinguish between large and small financial institutions, and that it may further conflict with future federal regulations on cybersecurity. In response to recent public comments, the department has agreed to ease certain requirements for encrypting data and breach notification, to name a few. In particular, encryption requirements have been stepped back to provide that in the event encryption is found to be “infeasible” for some sensitive data, entities can provide an alternate method of security for the data, approved by the company’s Chief Information Security Officer.

Other notable revisions include: A limited small business exemption, risk-based assessments, clarification with respect to the role and function of the Chief Information Security Officer, less strict audit trails requirement, and what triggers the 72-hour reporting period to notify the department of a cybersecurity event.  The full text of the proposed rule can be found here.

The rule will again be subject to a 30-day comment period. The department will focus its final review on new comments not raised previously.

Once implemented, this will be the first rule of its kind in the United States. All financial institutions under the jurisdiction of NYDFS—including banks, lenders, insurers, mortgage companies, and money services businesses—should carefully evaluate the requirements and consider submitting public comments. Once the rule goes into effect on March 1, 2017, financial institutions will need to ensure compliance within 6 months to 2 years (depending on the applicable tier).

©1994-2024 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

Current Legal Analysis

More from Mintz

DOJ Releases COVID-19 Fraud Enforcement Task Force Report Touting Its Successes and Urging Lawmakers to Enact New Legislation
by: Jane Haviland , Abdie Santiago
SEC’s Enforcement Authority Over Crypto Asset Transactions Upheld (Again) in Case Against Coinbase
by: Cory S. Flashner , Steve Ganis
Canada’s 2024 Federal Budget: The Time Is Now ... to Lock in Lower Tax Rates
by: Katy Pitch
American Privacy Rights Act – Another Shot at a Comprehensive Federal Privacy Law
by: Cynthia J. Larose , Christopher J. Buontempo
Tony Bennett May Have Left His Heart in San Francisco but the City's Appeal of Its NPDES Permit is on its Way to the United States Supreme Court.
by: Jeffrey R. Porter
Navigating Health Tech: Regulations for AI/ML in Medical Devices and Software [Video]
by: Benjamin M. Zegarelli , Pat G. Ouellette
Supreme Court Narrows the Reach of Omission Liability Claims Under Section 10(b) of the Exchange Act
by: Douglas P. Baumstein , Jason C. Vigna
Office of the Level Playing Field
by: Jennifer B. Rubin
The Sun is About to Set on Temporary CCPA/CPRA Exemptions: Employers Get Ready
by: Cynthia J. Larose
New Jersey Adopts a Comprehensive Data Privacy Law
by: Cynthia J. Larose , Jon Taylor

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins