The New York Cybersecurity Rule

In December, the New York State Department of Financial Services (NYSDFS) issued a revised version of its proposed cybersecurity rule. It requires financial services firms that are licensed, or are otherwise granted operating privileges by the NYSDFS (Covered Entities), including the insurance industry, to establish and maintain a cybersecurity program, showcasing the State’s keen focus on cybercrime and security.

The changes reflected in the revised proposal resulted, in part, from the substantial public comments submitted in response to the original proposal issued on September 13, 2016. The Council was among those that submitted feedback.

Although the revised proposal is more closely aligned with a risk-or processed-based approach to cybersecurity, The Council still has concerns. First, the revised proposal retains an extremely short notification window (72 hours) and continues to impose requirements relating to third-party service providers that could be difficult and costly for businesses to implement. Furthermore, the proposal still does not include a HIPAA exemption for businesses that are in compliance with that statute and has not limited the definition of covered entities to exclude captive insurers.

The NYSDFS is accepting comments on the revised proposal only until January 27, 2017. Given the short window, we ask that you provide input and comments to us by January 19. If you plan to submit your own letters, please shoot a note to John Fielding at john.fielding@ciab.com with this information.

This revised proposal will delay both the effective date and the original 180 day transitional period for businesses. Under the revised proposal, the rule will go into effect on March 1, 2017.