chevron-down Created with Sketch Beta.
January 05, 2017 Practice Points

NYS Department of Financial Services Announces Changes to Proposed Cybersecurity Regulation

Covered entities will have 180 days from the effective date to become compliant.

By Danielle Pomeraniec

On December 28, 2016, the New York State Department of Financial Services (DFS) announced that it made several changes to its proposed cybersecurity regulation, 23 NYCR 500, in response to public comments. The most noteworthy change is the delay of the effective date of the regulation from January 1, 2017 to March 1, 2017. With the postponement, covered entities, as defined by the regulation, will have 180 days from the effective date (September 1, 2017) to become compliant.

The regulation, first proposed in September 2016, drew criticism from numerous parties who found it to be rigid, overly broad, and difficult to implement. Despite the negative feedback, the “DFS believes that the proposed regulation effectively addresses the required elements of a cybersecurity program at this time, along with DFS’s overall supervisory authority.”  New York State Department of Financial Services, Assessment of Public Comments for New Part 500 to 23 NYCRR, http://www.dfs.ny.gov/legal/regulations/proposed/rp500apc.pdf.

Underlying the announced changes is the department’s emphasis of its original intent to have risk-based requirements tied to covered entities’ risk assessment, as defined in the regulation.  One noteworthy change is to the reporting requirements as set out in section 500.17, which now requires notice be given to the superintendent of financial services within 72 hours of determining that a cybersecurity event, as defined by the regulation, has occurred (i) “of which notice is required to be provided to any government body, self-regulatory agency or any other supervisory body; and (ii) that has “a reasonable likelihood of materially harming any material part of the normal operation(s) of the Covered Entity.” Id. The regulation previously required a report to be made within 72 hours of the breach without qualification.

Danielle Pomeraniec is an associate attorney at Koster, Brady & Nagler, LLP, in New York City, New York.


Copyright © 2017, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).