The New YorkState Department of Financial Services (NYDFS) last week issuedan updated draft of its cybersecurity regulations after consideringsubmitted comments, issues, and concerns regarding its initialproposal.

Financial institutions should be aware of any modifications toensure they are up-to-date on the requirements.

The updated regulations appear to be more practical and are moreclearly risk-based than the original version proposed in September2016. Many of its requirements are now linked to each coveredentity's risk assessment, which must be conducted and updated"periodically."  

Updated regulations

The regulations — which take effect March 1, 2017, following asecond 30-day notice and public comment period — apply to banking,insurance and other financial services organizations that fallunder the purview of the NYDFS. The regulations havebeen modified in the following additional key areas:

  • The definition of "nonpublic information," which is subject tothe regulation, has been revised to make it narrower and closer tothe more common definitions of "personal information."
  • Many requirements received extended compliance timelines,ranging from 12 to 24 months compared to the default of sixmonths.
  • Covered entities can comply through an affiliate; therefore, agroup of companies need not have multiple programs.
  • Covered entities are no longer required to identifynonpublicinformation stored in their systems.
  • The requirement to have an annual review of the cybersecuritypolicy by the board of directors of the covered entity has beenremoved.
  • Multifactor authentication and encryption of data in transitand at rest are no longer mandatory and are dependent on the riskassessment and the existence of compensating controls.
  • The requirement to conduct quarterly penetration testing hasbeen relaxed to allow for periodic and continuous reviewing,monitoring and testing.
  • The requirements for third-party service providers (TPSPs) havebeen softened to allow more flexibility in contract negotiationswith TPSPs.
  • Incident response plans must only address events "materially"affecting information systems or the continuing functionality of afinancial institution's business or operations, as opposed to anyevent; similar changes were made to the duty to report"cybersecurity events" to the superintendent.
  • A new confidentiality provision protects covered entities withrespect to the information provided in the required annualcertification to the New York superintendent of insurance.
  • The exemptions provision has been expanded and also requiresthat a covered entity that qualifies for an exemption file a noticeof exemption.

Pending the public comment period, there may be more changescoming to the regulation. Financial institutions operating in NewYork should review the updated proposed regulation against existingpolicies and procedures to ensure compliance and mitigate against potentialfines or penalties.

Want to continue reading?
Become a Free PropertyCasualty360 Digital Reader

  • All news coverage, best practices, and in-depth analysis.
  • Educational webcasts, resources from industry leaders, and informative newsletters.
  • Other award-winning websites including and

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.