ARTICLE
13 January 2017

New York Department Of Financial Services Issues Updated Proposed Cybersecurity Regulation

O
Orrick

Contributor

Orrick logo
Orrick is a global law firm focused on serving the technology & innovation, energy & infrastructure and finance sectors. Founded over 150 years ago, Orrick has offices in 25+ markets worldwide. Financial Times selected Orrick as the Most Innovative Law Firm in North America for three years in a row.
On December 28, 2016, the New York State Department of Financial Services ("DFS") announced that it has updated its proposed first‑in‑the‑nation cybersecurity regulation.
United States Finance and Banking

On December 28, 2016, the New York State Department of Financial Services ("DFS") announced that it has updated its proposed first‑in‑the‑nation cybersecurity regulation. The proposed regulation, which will be effective March 1, 2017, will require banks, insurance companies and other financial services institutions regulated by DFS to adopt a cybersecurity program by assessing its specific risk profile and designing a program to address these risks accordingly.

According to the DFS, "This updated proposal allows an appropriate period of time for regulated entities to review the rule before it becomes final and make certain that their systems can effectively and efficiently meet the risks associated with cyber threats."

Among the changes made, the definition of "Exemptions" has been expanded to provide:

  • that "Covered Entities" that have less than the specified number of employees, gross annual revenue or year‑end total assets shall be exempt from the requirements of enumerated sections;
  • an exemption for an employee, agent, representative or designee of a Covered Entity, who is itself a Covered Entity;
  • an exemption from enumerated sections for a Covered Entity that does not directly or indirectly operate, maintain, utilize or control any "Information Systems" and that does not, and is not required to, directly or indirectly control, own, access, generate, receive or possess "Nonpublic Information";
  • a requirement that Covered Entities that qualify for an exemption file a "Notice of Exemption"; and that a Covered Entity that ceases to qualify for an exemption must comply with all applicable requirements of the proposed rule.

The updated proposed regulation will be finalized following a 30-day notice and public comment period. Press Release. DFS Assessment of Public Comments. DFS Summary. Proposed Regulation (As Revised).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More