Following more than 150 public comments to the original proposal for cybersecurity regulation for financial institutions, the New York State Department of Financial Services (NYDFS) has updated its proposed regulation, with what is generally speaking a more lenient approach for covered entities.
 

The updated regulation adopts a risk-based approach that gives covered entities greater flexibility in determining the cybersecurity measures to be implemented based on the entity’s own risk assessment. Many requirements now apply “to the extent applicable” rather than “at a minimum”.
 

The updated regulation also provides for a longer transition period for covered entities to enter into compliance. For instance, covered entities will have up to two years to implement security policies regarding their third party service providers, and up to 18 months to implement policies and procedures for limitations on data retention and for encryption of personal information.
 

Covered entities will also be permitted to utilize the cybersecurity program and resources of an affiliate to satisfy the regulation’s requirements. 
 

The updated regulation, which was further revised in many other respects, is set to enter into force on March 1, 2017.
 

Click here to read the updated proposed regulation.