The NYS Department of Financial Services Has Revised Its Proposed Cybersecurity Regulation, Allowing for an Additional 30-Day Public Comment Period

The holidays provided an extra gift for those entities licensed or registered under New York’s banking, insurance or financial services laws.

The New York State Department of Financial Services (DFS) has revised its proposed cybersecurity regulation, which was published in the New York State Register on December 28, 2016. The revised regulation was in response to the immense backlash the original regulation received. Many believed the original regulation was overly broad, imposed too many technical requirements, had a “one-sizefits-all” scheme that simply was not workable across the board, used terms that were overly broad and/or ambiguous, and imposed great costs on those needing to comply with, and report under, the regulation.

There were over 150 written comments and extensive testimony before the New York State Assembly Standing Committee on Banks from various entities. DFS considered the comments and testimony, and the revised regulation was then published on December 28, 2016.

Some key points concerning the revised regulation:

There is still time to comment. Covered entities have another 30-day period to submit comments about the revised proposed regulation before it becomes effective on March 1, 2017.

Timelines have been pushed out. The revised proposed regulation will take effect March 1, 2017 (instead of January 1, 2017). Covered entities will have an extra month to report compliance with the regulation, i.e., they will now have until February 15, 2018 to report compliance. These entities, however, will have 18 months to develop audit trail systems and write certain procedures and policies; two years to develop procedures and policies for vendors; and one year to accomplish a variety of other reporting and assessment requirements.

Technical requirements have been softened. The revised proposed regulation no longer requires encryption of all nonpublic data if encryption is “infeasible.” The revisions allow the covered entities to have more of a voice in what a cybersecurity program should look like and what would work best for their business – instead of a specific schedule for assessments and compulsory technical standards. It allows covered entities to engage in their own risk assessment to determine what is reasonable.

There is still a rapid notice requirement. The 72-hour notice requirement is still present, but events that trigger notice are more closely aligned to current notification laws across the country and in federal and state reporting requirements.

The revised regulation is still broad, particularly in how it defines a “Cybersecurity Event” and “Information Systems.”

DFS is listening, so covered entities should take advantage of the 30-day comment period. In addition, covered entities should evaluate whether their current cybersecurity program meets the requirements of the revised proposed regulation – because on February 15, 2018, they will need to certify compliance with the regulation.

Additional Assistance

Phillips Lytle’s Data Security & Privacy Practice Team can assist with developing a compliant cybersecurity program, or review current programs for compliance with the proposed regulation, if and when it is adopted, and other state, federal and international requirements. The team has worked with our financial, banking and insurance clients, and those in other highly-regulated industries, to evaluate current crisis management plans, develop new plans, and review and comment on policies and procedures concerning record retention and data security and privacy. Phillips Lytle can provide guidance on the due diligence of reviewing third party vendor contracts, services and relationships. The team has also litigated to defend clients affected by cyber attacks or other crimes, and assisted in addressing issues raised by government regulators.

With attorneys who were former technology business owners and advisors to the nation’s intelligence, military and law enforcement leaders who are immersed in the technology industry, Phillips Lytle is uniquely qualified to provide the legal and business perspectives necessary to develop sound data privacy and security plans.

Even if you are currently working with consultants to develop a cybersecurity program, the policies and procedures should be reviewed by legal counsel to ensure compliance with the regulations and other laws to help avoid possible enforcement actions.

For questions regarding DFS’ new cybersecurity regulation, please contact Jennifer A. Beckage, Esq. on our Data Security & Privacy Practice Team.