Privacy & Information Security Law Blog

On December 28, 2016, the New York State Department of Financial Services (“DFS”) announced an updated version of its cybersecurity regulation for financial institutions (the “Updated Regulation”). The Updated Regulation will become effective on March 1, 2017.

Key changes from the version that was published in September 2016 include:

• providing a definition of a “Third-Party Service Provider”;
• modifying the definition of “Nonpublic Information” to make it consistent with the definition of private information under New York’s state breach notification law;
• adding “asset inventory and device management” to the list of required components of a covered entity’s cybersecurity policy;
• permitting a covered entity’s Chief Information Security Officer to be employed by an affiliate of the covered entity or by a service provider;
• limiting the requirement for a covered entity to maintain audit trails to cover only cybersecurity events “that have a reasonable likelihood of materially harming any material part of the normal operations of the Covered Entity”;
• eliminating the obligation for covered entities to require multi-factor authentication for employees accessing internal databases; and
• adding a notice of exemption form that covered entities may complete and file with DFS if they believe they are exempt from specific sections of the regulations.

In announcing the Updated Regulation, DFS Superintendent Maria T. Vullo stated that the Updated Regulation “allows an appropriate period of time for regulated entities to review the rule before it becomes final and make certain that their systems can effectively and efficiently meet the risks associated with cyber threats.”

The Updated Regulation will be finalized in January 2017 following a 30-day notice and public comment period and will become effective on March 1, 2017.