A new mandate on financial services companies to establish broad safeguards against cyberattacks is being pushed back by two months, New York state regulators said Wednesday.
In amendments to the cybersecurity rules filed in September, the Department of Financial Services (DFS) said it was retaining the general parameters of its requirements, despite negative comments from trade groups and companies within the affected banking and insurance industries (NYLJ, Nov. 30).
“DFS believes that the proposed regulation effectively addresses the required elements of a cybersecurity program at this time, along with DFS’s overall supervisory authority,” the agency said in an “assessment” of 150 public comments it received.
The revisions indicated that the department would delay the effective date of the new regulation from Jan. 1 to March 1, giving the affected companies 180 days, or until Sept. 1, to begin complying. The original compliance date had been July 1.
The department did not change the date of when regulated companies would have to submit a certificate of compliance to the department — Feb. 15, 2018 — indicating that it was complying with terms of the cybersecurity protections. The agency altered its plan in a few areas that public comments indicated were of most serious concern to regulated companies. In particular, they said they would allow companies more latitude to tailor their cybersecurity plans to the particular weaknesses that are reflected in the risk assessments that the state will require banks and insurers to perform.
Most of the negative comments included criticism that the proposal did not give companies enough flexibility to address areas where security risks to its records were most pressing.
The department also eased the reporting requirements when “cybersecurity events” occur. While still requiring companies to notify them within 72 hours, the department said the mandate would apply only to incidents that companies concluded had a reasonable likelihood of compromising confidential information.
The department said it would still require companies to file copies of their updated security plans each year and regularly update plans as the risk of threats demands.
It also preferred to continue with the parameters of the plan it advanced in September, in answer to critics who said the state should harmonize its cybersecurity guidelines with those developed by other regulating entities such as the National Institute of Standards and Technology, or Congress under the Gramm-Leach-Bliley Act.
“The department has been continually mindful of other standards and approaches and believes that the revised regulation is appropriately consistent with the goal of setting minimum [cybersecurity] standards,” a revised version of its proposed cybersecurity regulation published Wednesday by the New York Department of State explained.
The department said it was reworking its regulations to make clear that companies will be required to designate a chief information security officer, but not to hire a new employee to fill the position.
Edward McAndrew, a partner and cybersecurity expert at Ballard Spahr in Washington, D.C., said Wednesday the revised regulations reflect the department’s willingness to compromise, particularly over providing companies flexibility to tailor security programs according to what their risk assessments indicated need work. “I think that’s really important and it goes a long way toward responding to the concern that this was a one-size-fits-all requirement,” McAndrew said.
He said the narrowing of the reporting requirement to only those incidents that appear to have actually caused breaches of security will reduce the obligations of companies and the record-keeping responsibilities of the financial services department.
McAndrew and Michael Gottlieb, a partner at Boies, Schiller & Flexner and a leader of the firm’s privacy, cybersecurity and technology practice, agreed in separate interviews Wednesday that the implementation of the New York rules would probably prompt other regulators to act.
“From the moment it goes into effect, the DFS cybersecurity regulation will raise the bar for U.S. cybersecurity compliance standards,” Gottlieb said. “Other regulators may follow suit with increasingly specific and stringent requirements.”
Aaron Tantleff, a partner at Foley & Lardner in Chicago who specializes in cybersecurity issues, said that while he welcomed the additional clarity and flexibility the DFS brought to the New York regulations, he doubted that the two-month delay to March 1 will give companies much additional time to prepare for the new rules. Publication Wednesday of the revisions to its regulations, which are contained in Financial Services Law §§102, 201, 202, 301, 302 and 408, started a new 30-day period for public comment.
DFS Superintendent Maria Vullo said Wednesday that delaying the effective date of the regulation should give all regulated entities time to make sure their systems “effectively and efficiently meet the risks associated with cyberthreats.”
Gov. Andrew Cuomo hailed the department’s proposal in September as the first of its kind in the nation and said he supported the initiative.