December 2016
1 New York State Delay s
Cybersecurit y Regulation for
Financial Institutions
2 5th Circuit Rule s That Phishing
Scam Not Cover ed Under Crime
Protection Insurance Policy ’s
Computer Fraud Coverage
3 US Treasury’s Federal Insurance
Office C onsiders Big Data, C yber
Risk and Data Pr ivacy in First
Annual Repor t on the Protection of
Insurance Consumers
5 Federal Communications
Commission Chairman Signals
Increased Oversight of
Internet-of-Things Devices
6 Home Depot Di rectors Prevail
in Cybers ecurity Liabilit y Claim:
‘Director s’ Decisions Must B e
Reasonable, not Perfect’
7 The Commission on Enhancing
National Cybersecuri ty Releases
a New Report D etailing
Recommendations for the Trump
Administration
Skadden, A rps, Slate, Meag her & Flom LLP and Af filiates skadden. com
Privacy & Cybersecurity
Update
New York State Delays Cybersecurity Regulation for Financial
Institutions
The New York State Depa rtment of Financial Se rvices has announce d
certain changes to its new cybersecurity regula tion for banks, insurance
companies and other financial services institutions, addres sing some
but not all of the c omments it received on t he initial draft, and d elaying
complianc e until September 1, 2017.
As we discussed in a September Privacy & Cybersecurity Update,1 New York state has
proposed regulation that would require certain banks, insurance companies and other
financial services institutions regulated by the New York State Department of Financial
Services (DFS) to establish and maintain a cybersecurity program. The proposal2 was
the result, in part, of a DFS survey of approximately 200 regulated banking institutions
and insurance companies regarding the industry’s eorts to prevent cyberattacks. The
proposed regulation3 was subject to a 45-day notice and public comment period during
which the DFS received 150 comments, many of which were critical of the proposed
framework. DFS has now announced certain modifications to the proposed regulation
based on those comments, which address some, but definitely not all, of the concerns
that have been expressed. Significantly, the DFS has delayed the eective date of the
new regulation until March 1, 2017 (previously January 1, 2017), and the compliance
date to September 1, 2017 (previously July 1, 2017). Companies are now required
to provide a certificate of compliance with the regulation to DFS each February (as
opposed to January), beginning in 2018. The key changes are as follows:
- In response to comments that the cybersecurity requirements should be made more
flexible and risk-based, the revised regulation clarifies that certain requirements can
be linked to the amount of risk an institution faces. DFS noted, however, that a simple
cost-benefit analysis of “acceptable losses” would not be appropriate.
1 View the September 2016 spec ial edition of the Privacy & Cybersecurity Up date here.
2 View the DFS press release he re.
3 View the proposed regulation here.
