NYS DFS Issues Final Version of Cybersecurity Regulations

Yesterday, the New York State Department of Financial Services released the final version of its new cybersecurity regulations, to be promulgated at 23 N.Y.C.R.R. Part 500, making some incremental changes against its last version, released on December 28, 2016. 

Of note is DFS’s reaction to comments from higher education institutions that would have potentially been covered under the new regulations as DFS licensees under N.Y. Insurance Law § 1110 (issuance of charitable annuities).  Outside of the incremental changes reflected in the final version, DFS’s regulations continue to reflect the move to a more risk-adjusted approach to cybersecurity, rather than a purely prescriptive approach.  Questions remain, however, concerning the scope and reach of these regulations. 

DFS has also not indicated how Covered Entities are to report material Cybersecurity Events within the 72-hour window contained in the regulations.  This reporting will almost certainly be electronic, but DFS has apparently yet to set up a secure reporting portal.  That being said, the regulations allow 180 days from their effective date for compliance, in which time DFS will presumably stand up the infrastructure necessary to administer the regulations. 

These regulations will be in force once printed in the State Register, which is expected to occur on March 1, 2017.  The final version of the regulations can be found here, and DFS’s press release on the regulations can be found here.

SEC Warns Cybersecurity Remains a Top Priority in ...
Employers Take Note: 11th Circuit Broadly Interpre...


This website presents only general information not intended as legal advice. Although we encourage calls, letters and emails from prospective clients, please keep in mind that merely contacting Harter Secrest & Emery LLP (HSE) does not establish an attorney-client relationship between us. Confidential information should not be sent to HSE until you have been notified in writing by HSE that a formal attorney-client relationship has been established. Information sent to us before then may not be treated as confidential by HSE or the court.

I have read this and agree     Cancel

Our website uses cookies. By continuing to use our site, you agree to our use of cookies in accordance with our Privacy Policy.