DFS Issues Updated Proposed Cybersecurity Regulations: Responding to Industry Concerns, DFS Proposes More Flexible, Risk-Based Approach to Cybersecurity and Delays Implementation of Proposed Regulations

Sullivan & Cromwell LLP - January 3, 2017

On December 28, 2016, following a 45-day notice and public comment period, the New York Department of Financial Services (the “DFS”) issued updated proposed cybersecurity regulations (the “Updated Proposed Regulations”) applicable to banks, insurance companies, and other financial services institutions regulated by the DFS (“Regulated Institutions”).  Intended to address concerns voiced by Regulated Institutions and trade associations with respect to the version originally proposed for comment in September 2016 (the “Original Proposed Regulations”), the Updated Proposed Regulations appear more flexible and more closely tied to each Regulated Institution’s particular cybersecurity risk assessment.  Moreover, the DFS has delayed the proposed regulations’ implementation and has introduced transitional periods to permit Regulated Institutions additional time to come into compliance with certain requirements.  Comments on the Updated Proposed Regulations are due January 27, 2017.