PropertyCasualtyFocus

  • All Topics
  • Contributors
  • About
  • Contact
  • Subscribe
You are here: Home / Cybersecurity / NY DFS Cybersecurity Regulations Take Effect March 1, 2017

NY DFS Cybersecurity Regulations Take Effect March 1, 2017

February 24, 2017 by Nora Valenza-Frost

We previously reported on the New York Department of Financial Services’ proposed cybersecurity regulations. During the public comment period, the DFS received over 150 comments. In response, the DFS announced on December 28, 2016, that it had revised the proposed regulations and delayed their effective date two months. On February 16, 2017, the DFS confirmed the final regulations will take effect March 1, 2017, with required compliance 180 days thereafter (August 28, 2017). These regulations apply not only to property casualty insurers licensed in New York, but also to many of their commercial policyholders and insured vendors subject to DFS regulatory authority.

During the comment period, many small and medium-sized companies were particularly active in expressing their objection to the “one size fits all” approach of the original proposed regulations. DFS attempted to address these concerns in the revised regulations by making an organization’s design for its cybersecurity program dependent on the outcome of that organization’s risk assessment. A risk assessment would be required periodically, as opposed to annually, as originally proposed by the DFS. In the revised regulations, an organization’s risk assessment drives many additional aspects of the cybersecurity program, including audit trails, access privileges, and multi-factor authentication. Additionally, whether an entity is exempt is now defined by the number of employees and independent contractors (fewer than 10), rather than the number of customers, in addition to retaining the original proposal’s gross revenue and total asset exemptions. While small and medium-sized companies can employ the use of a third party service provider for some assistance (i.e., being the company’s designated CISO or providing its cybersecurity personnel), the burden of overseeing these providers and compliance with the regulations’ requirements will still largely fall to the company’s compliance and IT personnel.

In the revised regulations, the definition of “nonpublic information” is also narrower than originally proposed. The revised definition of “nonpublic information” is more in line with the relevant definitions in other breach notification statutes. The encryption requirements for nonpublic information are also scaled back in the revised regulations. The revised regulation no longer requires companies to encrypt all nonpublic information in all circumstances to protect information at rest or in transit. Instead, the regulations require the implementation of “compensating controls,” which may (but do not necessarily) include encryption depending on the risk assessment.

Additional key revisions include:

  • Notice Requirements: Notice of a cybersecurity event was modified to those events which the entity must report to any government body or self-regulatory or supervisory body, and those events that have a reasonable likelihood of materially harming any material part of the normal operations of the entity. This revision removes the original proposal’s requirement to report any potential unauthorized tampering with or access to or use of nonpublic information. Notice must still be made to the DFS within 72 hours or less.
  • Clarity on Third Party Service Provider(s): The original proposal left this phrase undefined, where the revised regulations define it as a person that: (i) is not an affiliate of the entity; (ii) provides services to the entity; and (iii) maintains, processes or otherwise is permitted access to nonpublic information through its provision of services to the entity.
  • CISO: Cybersecurity reports are to be submitted at least annually, as opposed to the original proposal which required at least bi-annual reporting.
  • Confidentiality: Information provided to the DFS under the revised regulations is exempt from disclosure.
Print Friendly, PDF & Email

« Previous Article

Third Circuit Affirms Rescission of $25 Million Contaminated Products Policy

Next Article »

Who is an Insured and What is a Claim? Circuit Courts Offer Guidance in Applying the “Insured vs. Insured” Exclusion in D&O Policies

About Nora Valenza-Frost

Nora Valenza-Frost is an of counsel at Carlton Fields in New York, New York. Connect with Nora on LinkedIn.

Related Articles

  1. What You Must Know about New York’s Proposed Cybersecurity Regulation for the Banking, Insurance, and Financial Services Sectors
  2. Cybersecurity as a Regulatory Issue: The NAIC Considers The Anthem Breach And Weighs a “Cybersecurity Bill of Rights”
  3. NAIC Exposes Revised Draft Model Cybersecurity Law for Insurers for Public Comment
Carlton Fields Logo
A blog focused on legal developments in the property-casualty industry by the attorneys of Carlton Fields.

Get Weekly Updates!

Send Me Updates!

Focused Topics

  • Additional Insured
  • Bad Faith
  • Business Interruption
  • Class Action
  • Construction/Builder’s Risk
  • Coronavirus / COVID-19
  • Cybersecurity
  • Declaratory Judgment
  • Duty to Defend
  • Environmental
  • Flood
  • Homeowners
  • Occurrence
  • Pollution/Pollutant
  • Property
  • Regulatory
  • VIEW ALL TOPICS »

Recent Articles

  • Third Circuit Holds Harassment Exclusion Bars Coverage for Sexual Assault Suit Under Pennsylvania Law
  • Tenth Circuit Interprets Excess Policy’s Definition of “Medical Incident” as Applying to the Injuries of One Single Person
  • Divided Ninth Circuit Finds Claimant’s Failure to Provide Medical Records Insulates Insurer From Bad Faith Failure to Settle

Carlton Fields

  • carltonfields.com
  • Practices
  • Industries
  • ExpectFocus Magazine

Related Industries/Practices

  • Insurance
  • Financial Lines Insurance
  • Property & Casualty Insurance
  • Financial Services & Insurance Litigation

About PropertyCasualtyFocus

  • All Topics
  • Contributors
  • About
  • Contact
© 2014–2025 Carlton Fields, P.A. · Carlton Fields practices law in California as Carlton Fields, LLP · All Rights Reserved · Privacy Policy · Disclaimer

Carlton Fields publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information and educational purposes only, and should not be relied on as if it were advice about a particular fact situation. The distribution of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship with Carlton Fields. This publication may not be quoted or referred to in any other publication or proceeding without the prior written consent of the firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please contact us. The views set forth herein are the personal views of the author and do not necessarily reflect those of the firm. This site may contain hypertext links to information created and maintained by other entities. Carlton Fields does not control or guarantee the accuracy or completeness of this outside information, nor is the inclusion of a link to be intended as an endorsement of those outside sites. This site may be considered attorney advertising in some jurisdictions. Web Design by Espo Digital Marketing