Proposed Cyber Security Regs Eased in New York After Industry Complaints

Print Email
December 29, 2016 by Jim Finkle

New York state’s financial regulator on Wednesday issued a revised proposal for the nation’s first cyber security rules for banks and insurers, loosening some security requirements and delaying implementation by two months to March 1.

The rules from the New York State Department of Financial Services are being closely watched because they lay out unprecedented requirements on steps that financial firms must take to protect their networks and customer data from hackers and disclose cyber events to state regulators.

“Many organizations are going to have a lot of work to do to come into compliance with these revised regulations,” said Jed Davis, a partner with law firm Day Pitney and former U.S. federal cyber crimes prosecutor.

The state revised the rules in response to more than 150 comments on its initial proposed regulations.

The New York Insurance Association in one letter called the regulation “too much of a ‘one size fits all’ rule” that was overly specific and too broad. A New York Bankers Association letter warned of unintended consequences that would “hamper efforts to protect the public and may defy its purpose of preventing cyber attacks.”

The revised regulations include easing some timelines and requirements, including standards for encrypting data and authenticating access to networks. They also provide more time for compliance, expanding the transition from six months to as long as two years.

The agency said it would finalize the rules after a 30-day comment period.

“This updated proposal allows an appropriate period of time for regulated entities to review the rule before it becomes final and make certain that their systems can effectively and efficiently meet the risks associated with cyber threats,” Financial Services Superintendent Maria Vullo said in a statement.

The American Bankers Association, a critic of the original draft, praised the revisions.
“Some good work has been done,” association Senior Vice President Doug Johnson said in a phone call. “Once we have in-depth conversations with our membership, there may still be some operational concerns we will want to express.”

Reuters first reported on the agency’s plan to delay the regulations last week.

Copyright 2024 Reuters. Click for restrictions.
Print Email

Was this article valuable?

Here are more articles you may enjoy.

USAA to Lay Off 220 Employees
Despite Break in Car Prices, Soaring Insurance Costs Hit U.S. Buyers
Florida Gets 8 New P/C Carriers After Insurance Market Reforms
La Nina 60% Likely to Develop Between June-August

Related Articles

New York’s Top Financial Regulator to Leave, Launch Cybersecurity Consulting Firm
France’s Atos Boosts Cyber Security Services With $5.06B Gemalto Buy
Pending New York Cybersecurity Regs Risk Raising Loss Potential: Fitch Ratings
New York Insurance Banking Cybersecurity Regs to Be Delayed Past Jan. 1
Only 5 Percent of Large UK Firms Have Board-Level Cyber Expertise: Deloitte
Cybersecurity High on Executives’ Lists; Relatively Few Have Plan to Address It
Common Misconceptions and 4 Other Reasons Cybersecurity Is Failing
Low Corporate Adoption of Cybersecurity in Risk Management Strategies Can’t Continue: Swiss Re
Insurers Face New York Cybersecurity Review After Anthem Attack
Cybersecurity Firm Optiv Expands Into Europe, Seeks Acquisitions
VC Firm Backed by Ex-Intelligence Chiefs Plans EU-Wide Cybersecurity Firm
Hackers Will Become More Cunning in 2017 as Cyber Risks Intensify: Report
Willis Towers Watson’s New Cyber Risk Assessment Tool: An Employee Survey
New York Issues First-of-Their-Kind Cyber Regs for Insurers and Banks
Europe’s Firms, Unprepared for Cyber Risks, Face Breach Disclosure Law

Latest Magazine

Carrier Management magazine

Research & Whitepapers