On November 9, 2016, we published a post informing that the New York State Department of Financial Services (“DFS”) announced groundbreaking cybersecurity regulation for financial institutions. We apprised that the cybersecurity regulation would require covered entities to create and maintain a written cybersecurity policy that outlines every aspect of its program and addresses how the entity complies with each of the requirements set forth in the proposed regulation.
During the 45-day notice and comment period, which closed on November 14, 2016, DFS received a barrage of negative feedback from industry groups. The cybersecurity regulation was largely criticized for departing from existing cybersecurity regulations and requirements, lacking a risk-based approach, and being impractical and technically infeasible to implement.
In response to intense criticism, on December 28, 2016, DFS relaxed its approach and announced its updated cybersecurity regulation.
Key changes include:
- a risk-based approach to implementing a cybersecurity program;
- the ability to adopt the cybersecurity program of an affiliate;
- the ability to use alternative controls when encryption of non-public information is infeasible; and,
- staggered transitional periods – up to two years – for implementing the updated cybersecurity regulation.
The updated cybersecurity regulation is under a 30-day notice and comment period, which expires later this month.
Related Blog Post:
- Hackers are Leveraging Fear during the COVID-19 Pandemic
- No Trespassing: Can Public Websites Ever Be Off Limits?
- Cybersecurity – Global Ransomware Attack is Top of Mind with U.S. Securities Regulator
- Cybersecurity - a Top Operational Risk in FINRA’s 2017 Regulatory and Examination Priorities Letter
- Following Intense Industry Criticism, New York Overhauls Cybersecurity Requirements for Financial Services Companies
- FINRA Imposes Fines Against 12 Firms for Cybersecurity Violations
- OCC Announces Long-Awaited Fintech Charter Decision
- FCC Adopts New Consumer Privacy Rules for Internet Service Providers
- New York Announces Proposed “Groundbreaking” Cybersecurity Regulation for Financial Institutions
- Cybersecurity Programs at Securities Firms under Increasing Scrutiny by the Financial Industry Regulatory Authority (FINRA)