New Cybersecurity Requirements coming for NYS DFS Insurers, Producers, and Other Licensees
January 13, 2017
As previously reported and explained here, the New York State Department of Financial Services (DFS) promulgated a proposed regulation mandating cybersecurity requirements for all licensees, including insurance companies and producers, banks, and others. In response to 150 comments received from the industry, a revised proposed regulation was published December 28, 2016, available here, amending the requirements, and delaying their effectiveness. The regulation, which was to be effective January 1, 2017 will now become effective March 1, thereby delaying the compliance date from July 1 to September 1, 2017. An annual certificate of compliance required of each “Covered Entity” will be required by February 15, 2018. Among the changes from the proposed rule, the reporting requirement for data breaches to DFS within 72 hours was relaxed to exclude incidents that do not present a reasonable likelihood of compromising consumer information, the limited exemption for small entities was expanded, and more flexibility was built into the encryption requirements under certain circumstances where encryption would not be feasible. Nevertheless, the DFS requirements represent a new benchmark that may well be adopted in some form by other states.