The New York Department of Financial Services (NYDFS) recently issued an updated version of its proposed cybersecurity regulation, “Cybersecurity Requirements For Financial Services Companies” (23 NYCRR 500). The updated proposed regulation reflects several of the comments offered during the initial public notice and comment period that concluded on November 14, 2016. Some of the most noteworthy changes in the revision are as follows:
- Section 500.04 — NYDFS clarified that while a Covered Entity must designate a qualified individual to perform the responsibilities of a Chief Information Security Officer (CISO) outlined in the regulation, that individual is not required to have this specific title. This individual is also not required to be dedicated exclusively to performing the duties of the CISO.
- Section 500.13 — The previous version required each Covered Entity to create policies and procedures for the timely destruction of nonpublic information. However, the updated version clarifies that a company can take into account circumstances in which the disposal of that data is not reasonably feasible due to how information is maintained.
- Section 500.18 — The updated proposed rule includes a new confidentiality provision. Under this provision, any disclosures by a Covered Entity are exempt from disclosure rules under applicable state and federal law.
- Section 500.19 (formerly Section 500.18) — The previous version of the proposed rule granted a limited exemption based on the number of customers. The updated version makes the following changes:
- It removes a proposed exemption for those Covered Entities with fewer that 1,000 customers in each of the last three calendar years and replaces it with a exemption for a Covered Entity with fewer than 10 employees including any independent contractors.
- In addition, an employee, agent, representative or designee of a Covered Entity does not need to create a separate cybersecurity program if it is covered by the Covered Entity’s program.
- Finally, a Covered Entity receives a limited exemption if it does not control or maintain Information Systems or maintain or generate nonpublic information.
- Section 500.21 (formerly Section 500.20) — The effective date of the new proposed regulation is now March 1, 2017 instead of January 1, 2017.
- Section 500.22 (formerly Section 500.21) — Under the previous version, covered entities only had 180 days to implement the regulation. The updated version provides for a staggered schedule of implementation times ranging from one year to two years depending on the provision.
A more comprehensive overview of the changes is contained in the “Assessment of Public Comments for New Part 500 to 23 NYCRR.” The public is invited to comment on the updated proposed regulation until January 27, 2017.