New York partner Tom Dawson and associate Yuliya Feldman were quoted in a report prepared by ThirdCertainty titled, “Despite revision, cybersecurity rules for New York financial sector still have teeth.”
The article discussed the significance, risks, and timing of compliance measures in the New York State Department of Financial Services’ (NYDFS) revised plan to implement an unprecedented set of rules requiring financial services companies to adopt comprehensive cybersecurity policies and practices. In response to comments from over 150 interested parties, the NYDFS revised its original proposal to permit regulated entities to use risk-based concepts to tailor their cybersecurity programs and agreed to postpone the effective date of the revised cybersecurity requirements by two months—to March 1.
When asked about the significance of New York standing its ground, Tom said, “Most cybersecurity regulation efforts focus on either providing a voluntary framework for evaluating cybersecurity risks, or prescribing remedial efforts after a data breach has occurred. New York seeks to impose comprehensive and specific cybersecurity requirements that are focused on preventing data breaches, such as multi-factor authentication and encryption.”
Commenting on key revisions to the regulations, Yuliya said, “The overall effective date was pushed back to March 1, and extended transitional periods for certain requirements were introduced. However, these new deadlines are still tight. The introduction of a risk-based approach now requires two separate steps—the risk assessment and implementation of the cybersecurity requirements taking the risk assessment conducted into account. Therefore, covered entities should begin planning soon, if they have not begun to do so already, to give themselves sufficient time to come into compliance.”
Tom also noted that other states are “definitely watching” to see what transpires.