In September 2016, the New York Department of Financial Services (DFS) proposed a new Cybersecurity Regulation that would impose strict cybersecurity requirements on banks, consumer lenders, money transmitters, insurance companies and certain other financial service providers (each, a “Covered Entity”). DFS received varied, but primarily negative feedback on the proposed Regulation, as any commentators condemned the proposed Regulation as being too prescriptive and burdensome on Covered Entities. A common theme of the commentary was that the proposed Regulation did not allow Covered Entities to properly assess risk and build cybersecurity programs designed to meet those risks.

DFS subsequently revised the proposed Regulation and clearly took the comments to heart. The new proposed Regulation has greatly reduced the burden on Covered Entities and completely changed the regulatory compliance requirements. Demonstrating compliance with the Regulation is now based on walking a fine line between development of the Risk Assessment Policy and using the resulting Risk Assessment to modify or develop the Cybersecurity Program, the Cybersecurity Policy and associated procedures. In light of these revisions there are a number of questions that we have been asked by multiple companies.

To read the full article, go to the Legal Executive Institute