The New YorkState Department of Financial Services (NYDFS) last week issuedan updated draft of its cybersecurity regulations after consideringsubmitted comments, issues, and concerns regarding its initialproposal.

Financial institutions should be aware of any modifications toensure they are up-to-date on the requirements.

The updated regulations appear to be more practical and are moreclearly risk-based than the original version proposed in September2016. Many of its requirements are now linked to each coveredentity's risk assessment, which must be conducted and updated"periodically."  

Updated regulations

The regulations — which take effect March 1, 2017, following asecond 30-day notice and public comment period — apply to banking,insurance and other financial services organizations that fallunder the purview of the NYDFS. The regulations havebeen modified in the following additional key areas:

• The definition of "nonpublic information," which is subject tothe regulation, has been revised to make it narrower and closer tothe more common definitions of "personal information."
• Many requirements received extended compliance timelines,ranging from 12 to 24 months compared to the default of sixmonths.
• Covered entities can comply through an affiliate; therefore, agroup of companies need not have multiple programs.
• Covered entities are no longer required to identifynonpublicinformation stored in their systems.
• The requirement to have an annual review of the cybersecuritypolicy by the board of directors of the covered entity has beenremoved.
• Multifactor authentication and encryption of data in transitand at rest are no longer mandatory and are dependent on the riskassessment and the existence of compensating controls.
• The requirement to conduct quarterly penetration testing hasbeen relaxed to allow for periodic and continuous reviewing,monitoring and testing.
• The requirements for third-party service providers (TPSPs) havebeen softened to allow more flexibility in contract negotiationswith TPSPs.
• Incident response plans must only address events "materially"affecting information systems or the continuing functionality of afinancial institution's business or operations, as opposed to anyevent; similar changes were made to the duty to report"cybersecurity events" to the superintendent.
• A new confidentiality provision protects covered entities withrespect to the information provided in the required annualcertification to the New York superintendent of insurance.
• The exemptions provision has been expanded and also requiresthat a covered entity that qualifies for an exemption file a noticeof exemption.

Pending the public comment period, there may be more changescoming to the regulation. Financial institutions operating in NewYork should review the updated proposed regulation against existingpolicies and procedures to ensure compliance and mitigate against potentialfines or penalties.

Work with your insurance advisors to understand how insurance —including cyber liability — can help you mitigate and transferthese risks.

Related: New York regulator rolls out cybersecurityproposals for insurance, banks

Ben Zviti is senior vice president, in Marsh's Financial andProfessional Products (FINPRO) Specialty Practice. He can bereached at [email protected]. This article first appeared onMarsh.com and is reprinted here with permission. Visitthe MarshRisk in Context blog for the originalpost.