N.Y. Department of Financial Services Makes Adjustments to their Cybersecurity Regulations
Most requirements still in place for firms to adhere to but also allows them more flexibility
By Debbie Brenner
The New York State Department of Financial Services recently made some adjustments to its proposed cybersecurity regulation to give financial institutions more flexibility after weighing critiques it received during an open-comment period.
The NYDFS published the updated proposal on Wednesday and stated that it will still require banks, insurance companies and other financial institutions to establish a cybersecurity program and appoint a CISO, but gives them more time by moving the deadline to March 2017 instead of January.
Furthermore, the agency will now allow firms to report cyberattacks within 72 hours of determining that a breach occurred, versus having 72 hours from the time of the actual breach.
During the public-comment period for the original proposal, the American Insurance Organization, an industry group, critiqued the proposal for being difficult to implement and argued that it could weaken security instead of strengthening it.
For example, the association said the six-year retention period mandated by the original rule was unnecessary and would create an additional stockpile of data for hackers to target. The updated proposal shortens the retention period to five years.
The proposed rule is subject to another 30-day comment period before it can be implemented.
We recently held a webinar with IBM’s Sr. Financial Cyber Security Special to discuss NY’s cyber security requirements for financial institutions. Click on the video below to listen to the conversation.
Other helpful posts: