WASHINGTON – The New York State Department of Financial Services has modified its cybersecurity rule after a strong pushback from bankers, including at a hearing in Albany last week.
The plan was first proposed in September. Among other things, it would have required banks to appoint a chief information security officer. Bankers complained that the rule would be too costly and that it would not conform enough with existing federal regulations to be easily implemented.
The agency said it updated the plan to reflect that feedback. The updated proposal still includes a requirement to appoint a chief information security officer, but the timeline for reporting and testing was eased. The new plan also has additional exemptions for encryption and multifactor authentication requirements and staggers the implementation period for the final rule.
Institutions will have more time to notify the New York regulator of a cybersecurity incident, with a 72-hour window starting at the moment when the incident has been detected, instead of the moment the incident took place.
"This updated proposal allows an appropriate period of time for regulated entities to review the rule before it becomes final and make certain that their systems can effectively and efficiently meet the risks associated with cyber threats," Maria T. Vullo, the state's superintendent of financial services, said in a press release Wednesday.
The New York regulator said it would propose a final rule after a 30-day period of public comment. "DFS will focus its final review on any new comments that were not previously raised in the original comment process," the release said.
The plan is slated to take effect March 1.