[BreachExchange] New York Delays Implementation of Cybersecurity Mandate by Two Months

[Inga Goddijn]

http://www.newyorklawjournal.com/id=1202775640002/New-York-Delays-Implementation-of-Cybersecurity-Mandate-by-Two-Months?slreturn=20161128163022

Implementation of a new mandate on financial services companies to
establish broad safeguards against cyberattack is being pushed back by two
months, New York state regulators said Wednesday.

In amendments to the cybersecurity rules it first filed in September, the
Department of Financial Services (DFS) said that it is retaining the
general parameters of its requirements, despite receiving negative comments
about the plan from trade groups and companies within the affected banking
and insurance industries (NYLJ, Nov. 30
<http://www.newyorklawjournal.com/id=1202773512546/Financial-Industry-Groups-Slam-States-Proposed-Cybersecurity-Rules?mcode=1202615036097&curindex=1>
).

"DFS believes that the proposed regulation effectively addresses the
required elements of a cybersecurity program at this time, along with DFS's
overall supervisory authority," the department said in an "assessment" of
the 150 public comments it has received on the plan.

The revisions indicated that DFS would delay the implementation date of the
new regulation from the original Jan. 1, 2017, date to March 1, 2017,
giving the affected companies 180 days, or until Sept. 1, to begin
complying with its provisions. The original compliance date had been July
1. The DFS did not change the date of when regulated companies would have
to submit a certificate of compliance to the department, indicating that it
was complying with terms of the cybersecurity protections, of Feb. 15, 2018.

The department said that it would not yield, however, on certain points of
its plan including the definition of a "cybersecurity event" as an actual
or attempted security breach that would require a company report to the
department within 72 hours and the requirement for companies to file copies
of their updated security plans each year with the department. Under the
plan, companies also would need to harmonize its guidelines with those
developed by other regulating entities such as the National Institute of
Standards and Technology (NIST), or Congress under the Gramm-Leach-Bliley
Act.

"The department has been continually mindful of other standards and
approaches and believes that the revised regulation is appropriately
consistent with the goal of setting minimum [cybersecurity] standards," a
revised version of DFS's proposed cybersecurity regulation published
Wednesday by the state Department of State explained.

In general, the department said it believes the program it initially
outlined in the fall is sound and would serve to protect both the
confidential information held by financial services companies about
consumers and sensitive corporate records.

The DFS said it was reworking its regulations to make clear that companies
will be required to designate a chief information security officer, but not
to hire a new employee to hold the title.

Publication Wednesday of the DFS's revisions to its regulations, which are
contained in state Financial Services Law §§ 102, 201, 202, 301, 302 and
408, started a new 30-day period for public comment.

Gov. Andrew Cuomo hailed the DFS's proposal in September as the first of
its kind in the nation and said he was squarely behind the initiative (NYLJ,
Sept. 15
<http://www.law.com/sites/almstaff/2016/09/14/counsel-skeptical-of-nys-proposed-cybersecurity-rules-for-banks-insurers/>
).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161228/8fe13aa9/attachment.html>