NY DFS Proposed Cybersecurity Regulations Revised and Implementation Delayed

Financial Services Regulatory   |   Life, Annuity, and Retirement Solutions   |   January 17, 2017
Share Page

Data Breach

We previously reported on the New York Department of Financial Services’ proposed cybersecurity regulations. During the public comment period, the DFS received over 150 comments. In response, the DFS announced on December 28, 2016, that it had revised the proposed regulations and delayed their effective date two months – until March 1, 2017, with required compliance 180 days thereafter (August 28, 2017).

Many small and medium-sized companies were particularly active in expressing their objection to the “one size fits all” approach of the original proposed regulations. DFS attempted to address these concerns in the revised proposed regulations by making an organization’s design for its cybersecurity program dependent on the outcome of that organization’s risk assessment.  A risk assessment would be required periodically, as opposed to annually, as originally proposed by the DFS. In the revised proposed regulations, an organization’s risk assessment drives many additional aspects of the cybersecurity program, including audit trails, access privileges, and multi-factor authentication. Additionally, whether an entity is exempt is now defined by the number of employees and independent contractors (fewer than 10), rather than the number of customers, in addition to retaining the original proposal’s gross revenue and total asset exemptions. While small and medium-sized companies can employ the use of a third party service provider for some assistance (i.e., being the company’s designated CISO or providing its cybersecurity personnel), the burden of overseeing these providers and compliance with the regulation’s requirements will still largely fall to the company’s compliance and IT personnel.

In the revised proposed regulations, the definition of “nonpublic information” is also narrower than originally proposed.  The revised definition of “nonpublic information” is more in line with the relevant definitions in other breach notification statutes. The encryption requirements for nonpublic information are also scaled back in the revised proposed regulations. No longer are companies required to encrypt all nonpublic information in all circumstances to protect information at rest or in transit. Instead, the proposed regulation requires the implementation of “compensating controls,” which may (but not necessarily) include encryption depending on the risk assessment. 

Additional key revisions include:

  • Notice Requirements: Notice of a cybersecurity event was modified to those events which the entity must report to any government body or self-regulatory or supervisory body, and those events that have a reasonable likelihood of materially harming any material part of the normal operations of the entity. This revision removes the original proposal’s requirement to report any potential unauthorized tampering with or access to or use of nonpublic information. Notice must still be made to the DFS within 72 hours or less.
  • Clarity on Third Party Service Provider(s): The original proposal left this phrase undefined, where the revised proposal defines it as a person that: (i) is not an affiliate of the entity; (ii) provides services to the entity; and (iii) maintains, processes or otherwise is permitted access to nonpublic information through its provision of services to the entity.
  • CISO: Cybersecurity reports are to be submitted at least annually, as opposed to the original proposal which required at least bi-annual reporting.
  • Confidentiality: Information provided to the DFS under the revised proposed regulation is exempt from disclosure.

The final comment period on the revised proposed regulation ends January 27, 2017. 

©2020 Carlton Fields, P.A. Carlton Fields practices law in California through Carlton Fields, LLP. Carlton Fields publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information and educational purposes only, and should not be relied on as if it were advice about a particular fact situation. The distribution of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship with Carlton Fields. This publication may not be quoted or referred to in any other publication or proceeding without the prior written consent of the firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our Contact Us form via the link below. The views set forth herein are the personal views of the author and do not necessarily reflect those of the firm. This site may contain hypertext links to information created and maintained by other entities. Carlton Fields does not control or guarantee the accuracy or completeness of this outside information, nor is the inclusion of a link to be intended as an endorsement of those outside sites.

Subscribe to Publications


The information on this website is presented as a service for our clients and Internet users and is not intended to be legal advice, nor should you consider it as such. Although we welcome your inquiries, please keep in mind that merely contacting us will not establish an attorney-client relationship between us. Consequently, you should not convey any confidential information to us until a formal attorney-client relationship has been established. Please remember that electronic correspondence on the internet is not secure and that you should not include sensitive or confidential information in messages. With that in mind, we look forward to hearing from you.