Following Intense Industry Criticism, New York Overhauls Cybersecurity Requirements for Financial Services Companies

Following Intense Industry Criticism, New York Overhauls Cybersecurity Requirements for Financial Services CompaniesOn November 9, 2016, we published a post informing that the New York State Department of Financial Services (“DFS”) announced groundbreaking cybersecurity regulation for financial institutions. We apprised that the cybersecurity regulation would require covered entities to create and maintain a written cybersecurity policy that outlines every aspect of its program and addresses how the entity complies with each of the requirements set forth in the proposed regulation.

During the 45-day notice and comment period, which closed on November 14, 2016, DFS received a barrage of negative feedback from industry groups. The cybersecurity regulation was largely criticized for departing from existing cybersecurity regulations and requirements, lacking a risk-based approach, and being impractical and technically infeasible to implement.

In response to intense criticism, on December 28, 2016, DFS relaxed its approach and announced its updated cybersecurity regulation.

Key changes include:

  1. a risk-based approach to implementing a cybersecurity program;
  2. the ability to adopt the cybersecurity program of an affiliate;
  3. the ability to use alternative controls when encryption of non-public information is infeasible; and,
  4. staggered transitional periods – up to two years – for implementing the updated cybersecurity regulation.

The updated cybersecurity regulation is under a 30-day notice and comment period, which expires later this month.

Related Blog Post:

Search Blog

Follow Us

Recent Posts

Popular Categories

Editors

Archives

Jump to Page

Shutts & Bowen, established in 1910, is a full-service business law firm with approximately 300 lawyers located in eight offices across Florida.

By using this site, you agree to our updated Privacy Policy and our Terms of Use.