The New York Department of Financial Services (NYDFS) will delay the effective date of their proposed cybersecurity regulation until March 1, 2017. Earlier the anticipated deadline was January 1 for banks and insurers doing business in the state to comply with controversial cyber security rules.
Banks and insurers have been fighting for an extension of the compliance deadline and other changes ever since the regulator formally unveiled the proposed rules in September.
Banking and insurance industry representatives raised their objections that included the fact that ‘The rules did not distinguish between small and large financial institutions and would possibly conflict with future U.S. government cyber security rules.’
The original proposed regulation met with significant resistance, including reportedly more than 150 comment letters. Many of the comments identified the proposed regulation as highly prescriptive and lacking allowance for Covered Entities to make risk-based decisions on certain important technology matters.
A number of comments also requested the ability to distinguish between small and large Covered Entities in structuring cybersecurity programs based on size and risk. Some comments expressed concern that inconsistencies with federal and other state regulations, which are anticipated in the future, would make compliance highly complicated.