As we previously noted, the New York Department of Financial Services (NYDFS) announced a slew of cybersecurity regulations for banks, insurance companies, and other regulated financial institutions. But due to many concerns raised during the comment period, NYDFS updated their proposed regulations. Here’s the gist:
Originally, the definition for nonpublic information was broad and could be read to include any information maintained by a Financial Institution. The definition in the new proposal is more along the lines of those used in state breach notification laws.
This includes information relating to an individual, and information that can be used to identify an individual. Along with first and last name, other data elements could include Social Security number, driver’s license number, financial account number, biometric data, etc.
Financial Institutions are required to implement and maintain a cybersecurity program to protect the confidentiality, integrity, and availability of their information systems. This program should stem off the results of the organization’s risk assessment.
The revisions call for the organization’s required cybersecurity policy to be derived from the risk assessment as well. One notable change regarding risk assessments: the annual requirement was scaled back to a periodic basis instead.
Chief Information Security Officer (CISO)
The revised proposal no longer obligates organizations to appoint a CISO. However, the requirement has shifted to call for a qualified individual to oversee the aforementioned cybersecurity program and enforcement of the cybersecurity policy. The regulations still require this individual to provide a written report on the cybersecurity program to the board, but on an annual basis.
Financial Institutions regulated by the NYDFS should take note of the changes in the proposed cybersecurity regulations. The previous proposal was slated to go into effect at the turn of the new year. With the new revisions, NYDFS has pushed back the effective date to March 1, 2017.
Whereas the original proposal called for organizations to comply within 180 days, the revised regulations include different timeframes for compliance with different provisions. Details of the compliance time windows can be found in the text of the regulations.