Yesterday, the New York State Department of Financial Services released the final version of its new cybersecurity regulations, to be promulgated at 23 N.Y.C.R.R. Part 500, making some incremental changes against its last version, released on December 28, 2016.
Of note is DFS’s reaction to comments from higher education institutions that would have potentially been covered under the new regulations as DFS licensees under N.Y. Insurance Law § 1110 (issuance of charitable annuities). Outside of the incremental changes reflected in the final version, DFS’s regulations continue to reflect the move to a more risk-adjusted approach to cybersecurity, rather than a purely prescriptive approach. Questions remain, however, concerning the scope and reach of these regulations.
DFS has also not indicated how Covered Entities are to report material Cybersecurity Events within the 72-hour window contained in the regulations. This reporting will almost certainly be electronic, but DFS has apparently yet to set up a secure reporting portal. That being said, the regulations allow 180 days from their effective date for compliance, in which time DFS will presumably stand up the infrastructure necessary to administer the regulations.
These regulations will be in force once printed in the State Register, which is expected to occur on March 1, 2017. The final version of the regulations can be found here, and DFS’s press release on the regulations can be found here.