- The New York State Department of Financial Services (DFS) released revisions this week for its proposed cybersecurity regulations that would require financial services companies, banks and insurance providers to establish and maintain a cybersecurity program designed to protect consumers. The rules — the first in the U.S. regulating banks and insurers cybersecurity — are set to go live on March 1.
- The proposed regulations were revealed in September and was set to go live the first day of 2017. But banks and insurers requested a deadline extension and some program adjustments. The new version of the proposed rules includes less restrictive timelines and requirements and will provide as long as two years for companies to comply with the rules, Reuters reports.
- "This updated proposal allows an appropriate period of time for regulated entities to review the rule before it becomes final and make certain that their systems can effectively and efficiently meet the risks associated with cyberthreats," said DFS Superintendent Maria Vullo in a statement.
The proposed rules will be finalized following a 30-day comment period.
Cybersecurity laws are few and far between, particularly at the local level. New York's regulation is one of the first programs mandating companies to implement cybersecurity programs to protect customers.
To a CISO or CIO, those consumer cybersecurity protection measures are practically implied at this point, but cybersecurity can still take a back seat in board rooms. Those lacking cybersecurity measures could have embarrassing consequences. If organizations are found with lacking cybersecurity practices that result in a breach, they could become a target of the Federal Trade Commission.
More states could certainly follow suit and implement locally-focused cybersecurity accountability measures, but companies are still pushing back resulting in regulation delays, such as those in New York. Companies should anticipate more cybersecurity mandates in the future, as government agencies are looking to regulate and protect against large-scale breaches and the release of sensitive customer information.