New York Eases Proposed Cybersecurity Regulation for Financial Sector, But Practical Issues Remain

3 January 2017
View Client Update

Key takeaways

  • The New York Department of Financial Services has issued a second-round draft of its proposed cybersecurity regulation, subject to a new notice and comment period and now slated to go into effect on March 1, 2017.
  • The new draft makes modest but meaningful changes towards a more risk-based and less prescriptive approach, maintaining the same broad range of cybersecurity requirements but building in some flexibility within most sections in response to industry comments.
  • Covered Entities will now have somewhat more latitude to design and execute a cybersecurity program based on risk assessments of their own circumstances, including greater flexibility with respect to the use of encryption, the supervision of third-party service providers, the reporting of cyber incidents to DFS, and the schedule for compliance with the regulation.