New York’s financial regulator will delay an anticipated Jan. 1 deadline for banks and insurers doing business in the state to comply with controversial cybersecurity rules, a person familiar with the matter said.
The regulator, the New York State Department of Financial Services, will publish a revamped version of its cybersecurity rules in the New York State Register on Dec. 28, the person said.
The new effective date, following a public review period, will be March 1, 2017, the person said.
Once finalized, they will be the first rules of their kind in the United States by any state or federal agency, the regulator has said.
Banks and insurers have been fighting for an extension of the compliance deadline and other changes since New York Governor Andrew Cuomo issued the long-anticipated proposed cyber security regulations in September.
The New York agency regulates state-chartered and foreign banks licensed to operate in the state, including Goldman Sachs Group Inc., Barclays Plc and Deutsche Bank AG, and all insurance companies that do business in the state.
On Monday, banking and insurance industry representatives expressed their concerns about the rules in a hearing before New York state lawmakers. Among their objections: The rules did not distinguish between small and large financial institutions and would possibly conflict with future U.S. government cyber security rules.
The New York regulator received more than 150 letters from banking and insurance industry groups, among others, in response to the cyber security plan.
Other changes to be included in the revised rules are unclear.
The planned regulations, in the works since 2014, followed a series of high-profile hackings of U.S. companies and three surveys by the regulator about cyber security programs at a total of nearly 200 companies under its watch.
One report the regulator issued last year revealed that a third of 40 banks it surveyed did not require outside vendors to notify them of data breaches, which could compromise bank data.
A task force of U.S. state insurance regulators is also developing a model cyber security law, which individual state legislatures could ultimately choose to adopt.
Model laws, which cover a variety of subjects, typically lead to more uniformity among state laws. But model laws first must be finalized and approved by organizations developing them before being considered by state lawmakers. (Reporting by Suzanne Barlyn; editing by Jonathan Oatis)