In late December, New York’s Financial Services Superintendent Maria T. Vullo announced that the New York’s Department of Financial Services’ (“DFS”) new cybersecurity regulations would not go into effect on January 1, 2017 as initially planned. These “first-in-the-nation” cybersecurity regulations were designed to help protect consumers and the financial system from the increasingly serious threat of cyberattacks. However, the regulations faced opposition from the financial services companies and insurers that would have been subject to them.
The proposed regulations would have required insurers, banks and other financial institutions to develop detailed, specific plans for data breaches, appoint a Chief Information Security Officer (“CSIO”), and increase customer data monitoring by their vendors. More specifically, the proposed regulations would have required regulated entities to adopt a written cybersecurity policy that addressed, at a minimum, the following criteria: 1) information security; 2) data governance and classification; 3) access controls and identity management; 4) business continuity and disaster recovery planning and resources; 5) capacity and performance planning; 6) systems operations and availability concerns; 7) systems and network security; 8) systems and network monitoring; 9) systems and application development and quality assurance; 10) physical security and environmental controls; 11) customer data privacy; 12) vendor and third-party service provider management; 13) risk assessment; and 14) incident response. The proposed regulations also would have required regulated entities to conduct penetration testing and vulnerability assessments of their own systems, to implement multi-factor authentication for individuals accessing internal systems who have privileged access or to support functions including remote access, and to encrypt all non-public information held or transmitted.
In response to critical public comments on the proposed regulations, DFS agreed to update the proposed rule in order ease certain requirements and give regulated entities a longer period of time to review the rule before it became final. In particular, the updated proposed regulations relax the requirements for encryption where encryption of certain non-public data is infeasible, contain a small business exemption (exempting companies with fewer than 10 employees, less than $5M in gross annual revenue, or less than $10M in year-end total assets), clarify the role of the CSIO, clarify the triggers for the 72 hour reporting obligation for a “Cybersecurity Event,” and slightly modified the criteria required to be addressed in a company’s written Cybersecurity policy.
The updated proposed regulation was submitted to the NY State Register on December 15, 2016, published on December 28, 2016 and is currently within the 30-day notice and comment period. It is to take effect on March 1, 2017 with varying transitional periods for compliance with different provisions of the regulation, the shortest being 180 days. Updates to follow.