New York Cybersecurity Regulations Delayed, But Coming 9:14, January 4, 2017

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone

Our Resources

New York Cybersecurity Regulations Delayed, But Coming

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone

The New York State Department of Financial Services (DFS) proposed Cybersecurity Requirements for Financial Services Companies earlier this year, with an expected January 1, 2017 effective date. The effective date of the cybersecurity regulations has unofficially changed to March 1, 2017, according to Reuters and its “exclusive” source from the DFS.

That likely won’t be the only change in the proposed cybersecurity regulation. Despite the DFS surveying the banking sector and insurance companies regulated by the DFS before releasing proposed regulations, mostly community banks and “relatively small” financial institutions expressed concerns about the proposed regulations in a public hearing before the New York State Assembly Committee on Banks.

According to the National Law Review, and many other news sources, the banks were concerned that the proposed requirements were too “one size fits all,” that they didn’t reconcile with federal cyber requirements, and that the reporting requirements were too “onerous” (as it would require annual reporting to the DFS whether or not a data security breach happened). The DFS may disagree as Superintendent Maria T. Vullo’s stated the proposed regulations included the “flexibility necessary to ensure that institutions can efficiently adapt to continued innovations and work to reduce vulnerabilities in their existing cybersecurity programs.” DFS survey data also shows that small institutions generally lagged behind larger ones when it came to implementing data security measures like auditing third parties handling customer data or “key infrastructure systems.” The proposed data security regulations also compare similarly to other federal-level laws and policies.

What’s less talked about (and thus very likely to be implemented on March 1) are the training requirements under the proposed regulations. DFS-regulated financial services companies and insurance companies doing business in New York must “provide for and require all personnel to attend regular cybersecurity awareness training sessions that are updated to reflect risks identified by the Covered Entity.” The DFS explains, “[a]lthough external threats tend to grab headlines, insider breaches from employees, consultants, and others can do just as much—if not more—harm to an institution.” This means training everyone, especially since insider negligence is the number one cause of data breaches, according to experts like the Ponemon Institute and the Society of Corporate Compliance and Ethics.

Firms must understand “the role of all employees in protecting the institution’s information and systems,” as expected in examinations by the Federal Financial Institutions Examination Council (FFIEC). There’s little question that improperly trained employees are a huge risk to any business handling personal data.

What does all of this mean? Three things: (1) stop guessing, and start doing, (2) mark your calendars for December 28, 2016 as the DFS is expected to release the official cybersecurity regulations then (we will update you, too), and (3) educate yourself on how employees are the largest risk, yet largest opportunity, to securing your company’s data.

***Update*** On December 28, 2016 the DFS released updated proposed regulations. The effective date is officially March 1, 2017 and companies still have to provide data security awareness training to personnel as well as implement cybersecurity programs and policies.

LawRoom (powered by EverFi) delivers online compliance courses to help your business meet its requirements both dynamically and scalably. In addition to our award-winning online courses, LawRoom delivers a robust, cloud-based learning management system to help you easily deploy and track our growing library of ethics, anti-harassment, data security and employee conduct courses.

You might also be interested in...

  • New York Cybersecurity Regulation Basics, Final ChangesMarch 1, 2017 New York Cybersecurity Regulation Basics, Final Changes After some delay, the New York State Department of Financial Services (DFS) released final cybersecurity requirements for financial services companies. This post will describe what has changed between the final version and the previous proposed version, and generally highlight what the […] Posted in data security
  • NY Cybersecurity Regulations Change Training RequirementsJanuary 23, 2017 NY Cybersecurity Regulations Change Training Requirements The New York State Department of Financial Services (DFS) amended its proposed cybersecurity regulations on December 28, 2016, which changed the cybersecurity training requirements, delayed the effective date of the data security regulations, and loosened up strict obligations. This post […] Posted in data security
Douglas Kelly
Douglas Kelly is EverFi's lead legal editor. He writes on corporate compliance and culture, analyzing new case law, legislation and regulations affecting US companies. Before joining EverFi, he litigated federal and state employment cases and wrote about legal trends. He earned his JD from Berkeley Law and BBA from Emory University.

Leave a Reply

Leave a Reply

White Paper
Data Security training
for employees

  |   Download White Paper


Compliance Course Catalog
  |   Download Catalog