NYDFS Proposes Revised Cybersecurity Requirements for Financial Services Companies

Extract from article by Thomas Dawson and Yuliya Feldman

The New York Department of Financial Services has released an extensively revised cybersecurity regulation applicable to the wide variety of financial services companies regulated by the NYDFS. Released on December 28, 2016, the revised regulation makes multiple changes to almost every provision in the original proposal. We summarized the original proposed regulation in a Client Alert issued on September 14, 2016 and subsequently helped re/insurance clients submit comments to the NYDFS. Industry cybersecurity experts will undoubtedly take some time to consider all of the implications of the many changes made by NYDFS drafters. On the whole however we suspect that many financial companies that knew they were squarely targeted as “covered entities” will be pleased to see that the NYDFS has incorporated risk-based regulatory concepts in many of the requirements retained in the revised proposal.