Last week, the New York State Department of Financial Services (DFS) announced that it has updated and will delay implementation of its proposed, first-in-the-nation cybersecurity regulations. DFS’s proposed regulation, which was originally supposed to go into effect on January 1, 2017, will be effective March 1, 2017.
Despite receiving criticisms from trade groups and companies within the affected banking and insurance industries regarding the rules overly broad scope and lack of flexibility, DFS said that is retaining the general parameters of its requirements. DFS did make a number of changes to its original proposal, including exempting businesses with fewer than 10 employees. In addition, the revised regulations no longer require covered entities to put a single executive in charge of their cybersecurity, and they provide covered entities with more latitude to tailor their cybersecurity plans to the particular weaknesses that are reflected in their risk assessments.
DFS said that they expect to finalize the revised rules after a 30-day comment period, which runs through January 27, 2017.