Special Alert: Revised NYDFS Cybersecurity Rule
On December 28, 2016, the New York Department of Financial Services (DFS) issued a revised version (Revised Proposed Rule) of its cybersecurity rule for financial institutions issued on September 13, 2016 (Proposed Rule). The revision came after DFS received more than 150 comments in response to the Proposed Rule, as well as a hearing before New York State lawmakers. The Revised Proposed Rule retains the spirit of the original Proposed Rule, but offers covered entities somewhat more flexibility in implementing the requirements.
The Proposed Rule marked the next step in a period of increased focus on cybersecurity by the agency. Between May 2014 and April 2015, DFS issued three reports relating to cybersecurity in the financial and insurance industries. In November 2015, DFS issued a letter to federal financial services regulatory agencies, which alerted the federal regulators to DFS’s proposed regulatory framework and invited comment from the regulators.
In the September release, DFS explained that the Proposed Rule is a response to the “ever-growing threat posed to information and financial systems by nation-states, terrorist organizations, and independent criminal actors.” As originally written, the Proposed Rule covered financial institutions operating under a charter or license issued by DFS, and set cybersecurity program, policy, training, and reporting requirements that are more stringent than the current federal requirements. The Proposed Rule gave a January 1, 2017 effective date, with a 180-day transitional period. Taking into consideration these concerns, on December 19, 2016, the New York State Assembly’s Standing Committee on Banks held a public hearing regarding cybersecurity and the Proposed Rule. Among the chief concerns expressed at the hearing and in the comment letters was the cost of compliance, especially for smaller banks, and that the Proposed Rule’s “one-size-fits-all” requirements do not consider the varying operational structures, business models, and risk profiles of financial institutions. There was also concern that the Proposed Rule was too different from the current federal requirements.
* * *
We will continue to monitor the DFS rulemaking process. If you have questions about the Revised Rule or other cybersecurity issues, visit our Privacy, Cyber Risk & Data Security practice for more information, or contact a Buckley Sandler attorney with whom you have worked in the past.