On February 16, 2017, the New York Department of Financial Services (NYDFS) announced the release of its finalized Cybersecurity Requirements for Financial Services Companies (“Cybersecurity Regulation”), which will take effect on March 1, 2017. This final iteration, issued following an additional 30-day comment period, is in large part the same as the revised version dated December 28, 2016, which we reported on in early January. Although most of the edits focused on relatively inconsequential wordsmithing, a few material changes were made, including the following:
- Section 500.06(b) reduces the records retention requirement for audit trails designed to detect Cybersecurity Events (down to three years from five years).
- Section 500.19(a)(1) specifies that the limited exemption for Covered Entities with fewer than 10 employees relates to employees that are “located in New York or responsible for business of the Covered Entity.”
- Section 500.19(a)(2) clarifies that the limited exemption for Covered Entities that have less than $5 million in gross annual revenue in each of the last three fiscal years relates to revenue “from New York business operations.”
- Section 500.19(f) exempts charitable annuity societies (subject to Insurance Law Section 1110), risk retention groups not chartered in New York (subject to Insurance Law Section 5904), and any accredited reinsurer or certified reinsurer pursuant to 11 NYCRR 125 – provided that these organizations do not otherwise qualify as a Covered Entity.
The Cybersecurity Regulation likely will have implications far beyond New York and the Covered Entities that are directly subject to the NYDFS’s enforcement authority. Given the significant number of financial institutions that will be required to comply, other regulators, clients, customers and counterparties may begin to view these new requirements as a baseline standard for cybersecurity in the financial industry.