Business and Legal Insights

On November 9, 2016, we published a post informing that the New York State Department of Financial Services (“DFS”) announced groundbreaking cybersecurity regulation for financial institutions. We apprised that the cybersecurity regulation would require covered entities to create and maintain a written cybersecurity policy that outlines every aspect of its program and addresses how the entity complies with each of the requirements set forth in the proposed regulation.

During the 45-day notice and comment period, which closed on November 14, 2016, DFS received a barrage of negative feedback from industry groups. The cybersecurity regulation was largely criticized for departing from existing cybersecurity regulations and requirements, lacking a risk-based approach, and being impractical and technically infeasible to implement.

In response to intense criticism, on December 28, 2016, DFS relaxed its approach and announced its updated cybersecurity regulation.

Key changes include:

1. a risk-based approach to implementing a cybersecurity program;
2. the ability to adopt the cybersecurity program of an affiliate;
3. the ability to use alternative controls when encryption of non-public information is infeasible; and,
4. staggered transitional periods – up to two years – for implementing the updated cybersecurity regulation.

The updated cybersecurity regulation is under a 30-day notice and comment period, which expires later this month.

Related Blog Post:

• New York Announces Proposed “Groundbreaking” Cybersecurity Regulation for Financial Institutions