On September 22, 2016 AGMB issued an Alert about new cybersecurity regulations proposed by the New York Department of Financial Services (NYDFS) which aimed to protect consumers and financial institutions from cyber-attacks by requiring banks, insurance companies, and other financial services institutions regulated by the New York State Department of Financial Services (collectively “financial service companies”) to establish and maintain cybersecurity programs. The proposal stated that all regulated financial service companies in New York (a “Covered Entity”) must establish a cyber security program designed to identify, defend against, and respond to internal and external cyber risks. The full AGMB Alert, which includes many of the remaining requirements, is available at the following link: https://agmblaw.com/nydfs-cybersecurity-proposal/. After a period of public comment, the NYDFS proposed a revised set of regulations on December 28, 2016. The revised regulations include several changes, summarized below:
- The effective date of the new regulation has been changed from January 1, 2017 to March 1, 2017. Covered Entities have 180 days or until September 1, 2017 to comply, which was moved from July 1, 2017.
- Cyber security plans are now to be based off the companies risk assessments, which will “give companies more flexibility to address areas where security risks are most pressing.”
- Covered Entities must report a “cyber-security” event within 72 hours of the event. However, this requirement now only applies to incidents that have “a reasonable chance of compromising confidential information.”
- Covered Entities are required to hire a Chief Information Security Officer (“CISO”). However, the CISO does not necessarily need to be a new employee or “an individual exclusively dedicated to the job.”
These revisions are currently undergoing another 30 day comment period, which began on December 28, 2016. The text of the revised rule can be found at: http://www.dfs.ny.gov/legal/regulations/proposed/rp500t.pdf.