A widely watched bank cybersecurity proposed rule out of New York has been revised, and its deadline pushed back, giving the state’s financial industry a bit more wiggle room when it comes to compliance.
The New York Department of Financial Services has extended its compliance deadline until March 1, two months later than first expected. The rule requires banks, insurance companies and other financial services providers regulated by the department to craft programs and technology that guard against hacks. The revision, announced after the public offered some 150 comments on the proposed rule, enables financial institutions to perform cyber-risk assessments “periodically” rather than annually, and for either a senior officer or the company’s board of directors to approve cybersecurity plans—not both, as was originally stated.
The financial services regulator also will give an exemption to businesses with less than 10 workers and less than $5 million in gross annual revenue or less than $10 million in year-end total assets. Under the revised rule, businesses also can designate an employee as chief information officer instead of hiring someone specifically for that role. The revision keeps in place the requirement that businesses must notify the department of a breach within 72 hours.
The updated proposed regulation, which was submitted to the New York State Register on Dec. 15, 2016, and published Dec. 28, will be finalized following a 30-day notice and public comment period. NYDFS will focus its final review on any new comments that were not previously raised in the original comment process.
- N.Y. Cybersecurity Proposal Could Be Template for Other Regulators
- NYDFS Slaps Mega Bank with Mega Fine over AML Lapses
- First EU-Wide Cybersecurity, Reporting Rules Get Final Approval
Image Credits: wk1003mike