BreachExchange mailing list archives
New York Delays Implementation of Cybersecurity Mandate by Two Months
From: Inga Goddijn <inga () riskbasedsecurity com>
Date: Wed, 28 Dec 2016 16:48:00 -0600
http://www.newyorklawjournal.com/id=1202775640002/New-York-Delays-Implementation-of-Cybersecurity-Mandate-by-Two-Months?slreturn=20161128163022 Implementation of a new mandate on financial services companies to establish broad safeguards against cyberattack is being pushed back by two months, New York state regulators said Wednesday. In amendments to the cybersecurity rules it first filed in September, the Department of Financial Services (DFS) said that it is retaining the general parameters of its requirements, despite receiving negative comments about the plan from trade groups and companies within the affected banking and insurance industries (NYLJ, Nov. 30 <http://www.newyorklawjournal.com/id=1202773512546/Financial-Industry-Groups-Slam-States-Proposed-Cybersecurity-Rules?mcode=1202615036097&curindex=1> ). "DFS believes that the proposed regulation effectively addresses the required elements of a cybersecurity program at this time, along with DFS's overall supervisory authority," the department said in an "assessment" of the 150 public comments it has received on the plan. The revisions indicated that DFS would delay the implementation date of the new regulation from the original Jan. 1, 2017, date to March 1, 2017, giving the affected companies 180 days, or until Sept. 1, to begin complying with its provisions. The original compliance date had been July 1. The DFS did not change the date of when regulated companies would have to submit a certificate of compliance to the department, indicating that it was complying with terms of the cybersecurity protections, of Feb. 15, 2018. The department said that it would not yield, however, on certain points of its plan including the definition of a "cybersecurity event" as an actual or attempted security breach that would require a company report to the department within 72 hours and the requirement for companies to file copies of their updated security plans each year with the department. Under the plan, companies also would need to harmonize its guidelines with those developed by other regulating entities such as the National Institute of Standards and Technology (NIST), or Congress under the Gramm-Leach-Bliley Act. "The department has been continually mindful of other standards and approaches and believes that the revised regulation is appropriately consistent with the goal of setting minimum [cybersecurity] standards," a revised version of DFS's proposed cybersecurity regulation published Wednesday by the state Department of State explained. In general, the department said it believes the program it initially outlined in the fall is sound and would serve to protect both the confidential information held by financial services companies about consumers and sensitive corporate records. The DFS said it was reworking its regulations to make clear that companies will be required to designate a chief information security officer, but not to hire a new employee to hold the title. Publication Wednesday of the DFS's revisions to its regulations, which are contained in state Financial Services Law ยงยง 102, 201, 202, 301, 302 and 408, started a new 30-day period for public comment. Gov. Andrew Cuomo hailed the DFS's proposal in September as the first of its kind in the nation and said he was squarely behind the initiative (NYLJ, Sept. 15 <http://www.law.com/sites/almstaff/2016/09/14/counsel-skeptical-of-nys-proposed-cybersecurity-rules-for-banks-insurers/> ).
_______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- New York Delays Implementation of Cybersecurity Mandate by Two Months Inga Goddijn (Dec 29)