On December 28, 2016, the New York State Department of Financial Services (DFS) announced that it made several changes to its proposed cybersecurity regulation, 23 NYCR 500, in response to public comments. The most noteworthy change is the delay of the effective date of the regulation from January 1, 2017 to March 1, 2017. With the postponement, covered entities, as defined by the regulation, will have 180 days from the effective date (September 1, 2017) to become compliant.
The regulation, first proposed in September 2016, drew criticism from numerous parties who found it to be rigid, overly broad, and difficult to implement. Despite the negative feedback, the “DFS believes that the proposed regulation effectively addresses the required elements of a cybersecurity program at this time, along with DFS’s overall supervisory authority.” New York State Department of Financial Services, Assessment of Public Comments for New Part 500 to 23 NYCRR, http://www.dfs.ny.gov/legal/regulations/proposed/rp500apc.pdf.
Underlying the announced changes is the department’s emphasis of its original intent to have risk-based requirements tied to covered entities’ risk assessment, as defined in the regulation. One noteworthy change is to the reporting requirements as set out in section 500.17, which now requires notice be given to the superintendent of financial services within 72 hours of determining that a cybersecurity event, as defined by the regulation, has occurred (i) “of which notice is required to be provided to any government body, self-regulatory agency or any other supervisory body; and (ii) that has “a reasonable likelihood of materially harming any material part of the normal operation(s) of the Covered Entity.” Id. The regulation previously required a report to be made within 72 hours of the breach without qualification.