On December 28, 2016, the New York Department of Financial Services (“DFS”) published an updated version of its proposed “Cybersecurity Requirements for Financial Services Companies.” The updated regulations will become effective on March 1, 2017. As previously reported, these regulations are an important step in the ongoing national dialogue about reasonable and necessary cybersecurity standards for all businesses.
The proposed regulations were updated in response to over 150 formal comments received by the DFS from individuals and a variety of entities and trade associations, and were made (according to the DFS) in an effort to make the regulations more flexible and risk-based. The extensive updates include the following key changes:
- the definition of “Nonpublic Information” has been modified to more closely track the language of other standards, including the breach notification statute;
- the required Cybersecurity Policy for a Covered Entity is now tied to the entity’s Risk Assessment, and now must also address “asset inventory and device management”;
- the Chief Information Security Officer for a Covered Entity may be employed by a Third Party Service Provider;
- the Covered Entity’s obligations with respect to any external service providers that access Information Systems and Nonpublic Information is now based on the Covered Entity’s Risk Assessment as well as an assessment of the risks presented by the service providers;
- modification of the limited exemptions that may be available for Covered Entities, and a notice of exemption filing requirement; and
- the addition of Transitional Periods designed to provide outside deadlines for compliance with specific requirements.