On October 25, the Privacy Law Report featured a blog post on new cybersecurity regulations being implemented by the New York Department of Financial Services (“DFS”). Those regulations impose a number of requirements on financial institutions, including banks and insurance companies, such as the implementation of cybersecurity programs, the manner in which those companies handle data breaches, and the necessity for those companies to appoint a chief information security officer. While these rules certainly advance a good cause, there has been significant push back from the banks to buy more time before the rules go into effect. In particular, smaller institutions have complained that the rules provide no differentiation between small and large institutions. Because of these concerns, the DFS has now agreed to move the compliance date from January 1 to March 1.
It will be interesting to see how the coming months will play out. It shouldn’t come as a major surprise that these companies have pushed back – the rules will require them to implement changes that will require additional manpower and cost. And as noted, this is a particular concern for smaller companies for which the increased expense will have a larger impact. It is no secret that the cost of defending against cyber attacks has long been discussed a major limiting factor in the world of cybersecurity. Nonetheless, these DFS rules will be the first of their kind, and thus may have a broad impact on shaping the drafting of cybersecurity rules to be implemented by other state agencies. When these rules go into effect, companies should pay close attention to how the DFS tests its new rules and regulations in addition to any changes to the draft rules.