A new mandate on financial services companies to establish broad safeguards against cyberattacks is being pushed back by two months, New York state regulators said Wednesday.
In amendments to the cybersecurity rules filed in September, the Department of Financial Services (DFS) said it was retaining the general parameters of its requirements, despite negative comments from trade groups and companies within the affected banking and insurance industries (NYLJ, Nov. 30).
“DFS believes that the proposed regulation effectively addresses the required elements of a cybersecurity program at this time, along with DFS’s overall supervisory authority,” the agency said in an “assessment” of 150 public comments it received.
The revisions indicated that the department would delay the effective date of the new regulation from Jan. 1 to March 1, giving the affected companies 180 days, or until Sept. 1, to begin complying. The original compliance date had been July 1.
The department did not change the date of when regulated companies would have to submit a certificate of compliance to the department — Feb. 15, 2018 — indicating that it was complying with terms of the cybersecurity protections. The agency altered its plan in a few areas that public comments indicated were of most serious concern to regulated companies. In particular, they said they would allow companies more latitude to tailor their cybersecurity plans to the particular weaknesses that are reflected in the risk assessments that the state will require banks and insurers to perform.
Most of the negative comments included criticism that the proposal did not give companies enough flexibility to address areas where security risks to its records were most pressing.
The department also eased the reporting requirements when “cybersecurity events” occur. While still requiring companies to notify them within 72 hours, the department said the mandate would apply only to incidents that companies concluded had a reasonable likelihood of compromising confidential information.
The department said it would still require companies to file copies of their updated security plans each year and regularly update plans as the risk of threats demands.
It also preferred to continue with the parameters of the plan it advanced in September, in answer to critics who said the state should harmonize its cybersecurity guidelines with those developed by other regulating entities such as the National Institute of Standards and Technology, or Congress under the Gramm-Leach-Bliley Act.
“The department has been continually mindful of other standards and approaches and believes that the revised regulation is appropriately consistent with the goal of setting minimum [cybersecurity] standards,” a revised version of its proposed cybersecurity regulation published Wednesday by the New York Department of State explained.