Following months of criticism and concerns from banks, insurance companies and other financial services institutions, the New York Department of Financial Services (NYDFS) delayed implementation of a cybersecurity regulatory regime that was due to come into effect on Jan. 1, but will now take effect on March 1, 2017.

On Dec. 28, the state's financial regulator released a revised version of the regulations which are now set to become effective on March 1, 2017. The revised regulations continue the NYDFS's objective "to protect consumers and ensure the safe and sound operation of Department-regulated entities." Revisions to the regulations reflect feedback concerning covered entities' abilities to assess cyberrisks and to devote resources to areas of greater risk or exposure. Key revisions concern reporting requirements for cybersecurity events, appointment of a chief information security officer and a greater emphasis on entity risk assessments.

Work on the regulations began in 2014 after a series of high-profile hacking incidents, a risk that was underscored in 2015 when a group of overseas hackers made $100 million worth of profits through trades based on stolen inside information. Several nonfinancial businesses – ranging from retail chains to email providers – have also recently suffered high-profile breaches.

Although the rise of cyberattacks has made the need for some form of cybersecurity oversight generally accepted, and multiple federal and state agencies have promulgated cybersecurity guidance, the NYDFS received considerable criticism of specific elements of the regulations during the public comment period last fall. For example, the Securities Industry and Financial Markets Association ("SIFMA") and the American Bankers Association ("ABA"), along with more than a half-dozen other financial and insurance trade groups, called it a "one-size-fits-all" approach that failed to reflect the different business models, sizes and risk profiles that exist across the myriad institutions the NYDFS covers. Moreover, some requirements were identified as being unclear or unworkable, and the groups suggested the regulations' broad reach could result in reporting requirements being triggered unnecessarily in some situations, which would subject the firms to excessive operational burdens. The potential time, cost and resources required for adherence to the regulations also raised concerns, particularly among smaller firms. Instead, the groups recommended NYDFS follow a risk-based approach and that its rulemaking provide institutions with greater flexibility. Specifically, they asked for the regulations to include a materiality standard and a harm trigger in the definition of "cybersecurity event," as well as an extension of the compliance period after the rule's effective date. In response to that specific criticism, the updated regulations have modified reporting requirements in the event of a cybersecurity event (although the 72-hour reporting requirement for events satisfying specific criteria remained in place). Moreover, the revisions reflect a greater emphasis on covered entity risk assessments.

Once effective on March 1, 2017, the regulations will be the first cybersecurity rules implemented in the U.S. at either the state or federal level, and although they will cover only New York-based entities, they will have a significant influence due to the state's central role within the financial industry. Indeed, Gov. Andrew Cuomo touted the "first-in-the-nation regulation" when they were initially proposed, calling New York "the financial capital of the world." Regulations reaching third-party vendor security may also broaden the significance of the regulations beyond the entities NYDFS regulates. Therefore the regulations are expected to establish best practices and norms in New York and other states, and the federal government may also follow suit with similar regimes in the near future.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.