In response to the uniformly negative feedback it received from industry participants and interested parties, the New York State Department of Financial Services has modified its proposed cyber security regulations and delayed their start date by two months.
Originally, these “first-in-the-nation” regulations were set to take effect on January 1, 2017, but one of the strongest criticisms that DFS received was that the window between the September announcement of the new regulations and a January 1 start date was just too short to allow for the kind of sweeping change that the regulations envisioned. The proposed regulations are now slated to go into effect on March 1, 2017.
DFS’s press release concerning the new regulations can be found here - http://www.dfs.ny.gov/about/press/pr1612281.htm
The new regulations themselves can be found here - http://www.dfs.ny.gov/legal/regulations/proposed/rp500t.pdf
We are conducting an in-depth review of the changes made and will provide our insight into those changes shortly. This recent change only adds to the complexity surrounding these regulations, with entities that had made efforts to stand up compliance programs concerning the first set of regulations now being forced to adapt to the new changes. A 30-day final comment period follows these modified regulations, after which they will either take effect, or further modifications could follow.