<div dir="ltr"><a href="http://www.newyorklawjournal.com/id=1202775640002/New-York-Delays-Implementation-of-Cybersecurity-Mandate-by-Two-Months?slreturn=20161128163022">http://www.newyorklawjournal.com/id=1202775640002/New-York-Delays-Implementation-of-Cybersecurity-Mandate-by-Two-Months?slreturn=20161128163022</a><br><br><div id="gmail-temisReplace">
<p>Implementation of a new mandate on financial services
companies to establish broad safeguards against cyberattack is being
pushed back by two months, New York state regulators said Wednesday.</p><p>In
amendments to the cybersecurity rules it first filed in September, the
Department of Financial Services (DFS) said that it is retaining the
general parameters of its requirements, despite receiving negative
comments about the plan from trade groups and companies within the
affected banking and insurance industries (<a href="http://www.newyorklawjournal.com/id=1202773512546/Financial-Industry-Groups-Slam-States-Proposed-Cybersecurity-Rules?mcode=1202615036097&curindex=1" target="_blank">NYLJ, Nov. 30</a>).</p><p>"DFS
believes that the proposed regulation effectively addresses the
required elements of a cybersecurity program at this time, along with
DFS's overall supervisory authority," the department said in an
"assessment" of the 150 public comments it has received on the plan.</p><p>The
revisions indicated that DFS would delay the implementation date of the
new regulation from the original Jan. 1, 2017, date to March 1, 2017,
giving the affected companies 180 days, or until Sept. 1, to begin
complying with its provisions. The original compliance date had been
July 1. The DFS did not change the date of when regulated companies
would have to submit a certificate of compliance to the department,
indicating that it was complying with terms of the cybersecurity
protections, of Feb. 15, 2018.</p><p>The department said that it would
not yield, however, on certain points of its plan including the
definition of a "cybersecurity event" as an actual or attempted security
breach that would require a company report to the department within 72
hours and the requirement for companies to file copies of their updated
security plans each year with the department. Under the plan, companies
also would need to harmonize its guidelines with those developed by
other regulating entities such as the National Institute of Standards
and Technology (NIST), or Congress under the Gramm-Leach-Bliley Act.</p><p>"The
department has been continually mindful of other standards and
approaches and believes that the revised regulation is appropriately
consistent with the goal of setting minimum [cybersecurity] standards," a
revised version of DFS's proposed cybersecurity regulation published
Wednesday by the state Department of State explained.</p><p>In general,
the department said it believes the program it initially outlined in the
fall is sound and would serve to protect both the confidential
information held by financial services companies about consumers and
sensitive corporate records.</p><p>The DFS said it was reworking its
regulations to make clear that companies will be required to designate a
chief information security officer, but not to hire a new employee to
hold the title.</p><p>Publication Wednesday of the DFS's revisions to
its regulations, which are contained in state Financial Services Law ยงยง
102, 201, 202, 301, 302 and 408, started a new 30-day period for public
comment.</p><p>Gov. Andrew Cuomo hailed the DFS's proposal in September
as the first of its kind in the nation and said he was squarely behind
the initiative (<a href="http://www.law.com/sites/almstaff/2016/09/14/counsel-skeptical-of-nys-proposed-cybersecurity-rules-for-banks-insurers/" target="_blank" rel="nofollow">NYLJ, Sept. 15</a>).</p></div>
<div class="gmail-article-parts">
</div>
<aside class="gmail-credit-line">
<div class="gmail-credit-text">
<p><br></p>
</div>
</aside>
<aside class="gmail-article-links">
</aside>
<br></div>