New York Cybersecurity Regulations Delayed, Being Revised

Photo Credit: Photo Credit: Marco Verch
Licensed under Creative Commons Attribution 2.0 (no changes were made to the image) https://creativecommons.org/licenses/by/2.0/deed.en

The New York Department of Financial Services has pushed back the effective date of its Cybersecurity Regulations from January 1, 2017 to March 1, 2017. This is to give the NYDFS time to significantly revise the proposed Cybersecurity Regulations initially released for comment in September 2016, which created quite a bit of controversy. The revised regulations are to be published on December 28, 2016.

The NYDFS signaled this change two days after a hearing in Albany, New York in which New York bankers voiced their concerns to New York State lawmakers. While the NYDFS has not elaborated on what is being re-written, the following are some of the key concerns that were voiced to lawmakers in the hearing:

1. It would cost too much.
2. Banks shouldn’t be forced to hire CISOs.
3. The rules are too tough.
4. New York’s regulation is too different from the federal rules of FFIEC, Federal Reserve, the OCC, the FDIC and even NIST.
5. The regulation is “one size fits all.”
6. It calls for too much incident reporting.
7. The extra regulation and reporting could create an impression that New York banks are less secure than others.

These points are explained more thoroughly in the American Banker source article New York Rewriting Cybersecurity Rules After Banker Pushback.

Here are two articles I have written for SecureWorld that discuss the proposed NYDFS Cybersecurity Regulations and I will also address the revisions in the near future:

• Learn How the NYDFS Cybersecurity Regulations Will Impact Your Company
• Must Your Company Comply with the NYDFS Cybersecurity Regulations? The Answer May Surprise You

______________________

Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.