- NY DFS Publishes Revised Proposed Cybersecurity Rules for Financial Services Companies
- January 2, 2017 | Authors: Mark D. Herlach; John S. Pruitt; Stephen E. Roth; Cynthia R. Shoss; Phillip E. Stano
- Law Firms: Sutherland Asbill & Brennan LLP - Washington Office; Sutherland Asbill & Brennan LLP - New York Office; Sutherland Asbill & Brennan LLP - Washington Office; Sutherland Asbill & Brennan LLP - New York Office; Sutherland Asbill & Brennan LLP - Washington Office
- On December 28, 2016, the New York Department of Financial Services (the DFS) published a revised proposed cybersecurity regulation (the Revised Regulation) for further public comment. First published in September 2016, the Revised Regulation is a culmination of three years of work by the DFS to prioritize cybersecurity oversight. It is designed to promote the protection of nonpublic information as well as information technology systems of banks, insurance companies, and other financial services providers regulated by the DFS (Covered Entities).
The Revised Regulation is now proposed to become effective on March 1, 2017, and entities subject to the regulation would have 180 days from this effective date to comply, although, as discussed below, the regulation allows additional time to comply with certain requirements. The notice and public comment period ends on January 27, 2017, and the DFS is expected to finalize the regulation shortly thereafter. The DFS’s final review will focus on any comments that were not raised during the original comment process.
A number of public comments on the original proposal are addressed by the changes. The DFS rejected others. The greatest volume of changes are where the DFS has clarified that requirements are linked to the results of a Covered Entity’s risk assessment, consistent with the DFS’s stated intention to have risk-based rules. Notably, in its assessment of public comments, the DFS said that while it believes an entity should model its cybersecurity program on its cybersecurity risks, the risk assessment is not intended to permit a cost-benefit analysis of acceptable losses.
Key specific changes and additions to the Revised Regulation include:
- Cybersecurity Policy
- Cybersecurity Program
- Audit Trail
- Third-Party Service Provider Security Policy
- Chief Information Security Officer
- Encryption of Nonpublic Information
- Notices to Superintendent
- Transitional Periods
Note, however, that the Revised Regulation also requires an exempt Covered Entity to file a notice of exemption with the DFS.