Financial Services Agency Revises New York Cybersecurity Regulation, Delays Effective Date

The New York Department of Financial Services released an updated version of its cybersecurity law slated to take effect March 1, 2017; the original version was to become effective on January 1, 2017. The regulation will require banks, insurance companies, and other financial services institutions regulated by DFS to establish and maintain a cybersecurity program designed to protect consumers and ensure the safety of the state’s financial services industry. The revised proposal is less stringent than the original version and includes significant changes, including procedures for monitoring and testing of the cybersecurity program, risk assessment and data encryption requirements. The revised proposal also allows an entity to adopt a cybersecurity program maintained by an affiliate and allows a firm to designate an affiliate’s chief information security officer or use a third party provider or designated employee to fulfill the role. The extended public comment period ends January 27, 2017.