NY Department of Financial Services Publishes Revised Cybersecurity Rules

As reported previously, the NY Department of Financial Services (the “NYDFS”) published proposed comprehensive cybersecurity rules that would apply to financial institutions holding a state license.  On December 28, 2016, the NYDFS published revised rules, taking into account some, but not all, of the objections to the original rules.  The new rules have a 30 day comment period, and final rules are expected to go into effect on March 1, 2017.  The revised rules limit somewhat the scope of the original rules, but maintain the overall requirements.  The new rules, for example, apply to only “sensitive” personal information, as opposed to all personal information.  A covered institution would be required to conduct a “risk assessment” periodically, and could tailor controls as a result rather than applying prescriptive rules.  Instead of encrypting all non-public information, for example, the controls could include encryption, and multifactor and risk-based authentication.  There appear to be less extensive audit requirements, and more time is given for annual certification of compliance.