Joseph P. Vitale is a partner at Schulte Roth & Zabel LLP. This post is based on a Schulte Roth publication by Mr. Vitale, Michael L. Yaeger, and Noah N. Gillespie.
On Dec. 28, 2016, the New York State Department of Financial Services (“NYDFS”) issued revisions to its proposed regulation that would impose new, rigorous cybersecurity requirements on banks, consumer lenders, money transmitters, insurance companies and certain other financial service providers (each a “Covered Entity”) regulated by the NYDFS (the “Proposed Regulation”). The Proposed Regulation’s effective date was delayed two months, from Jan. 1, 2017 to March 1, 2017. In the meantime, a new 30-day public comment period will run until Jan. 27, 2017.
Even as revised, the Proposed Regulation still exceeds what other regulators have suggested, much less required, and given the scope and footprint of many New York financial institutions, the impact of the Proposed Regulation will likely far exceed the state of New York. However, the NYDFS did make several significant modifications, mostly in response to industry concerns. This post focuses on those changes. For more information on the aspects of the Proposed Regulation that remain unchanged, please refer to our Sept. 15, 2016 post on the original version.