New York to Revise Controversial Cybersecurity Proposal

The New York Department of Financial Services will revise a set of proposed cybersecurity regulations amidst numerous objections from bankers, according to reports today.

The original proposal — the first of its kind from a state regulator — would have required New York-chartered financial institutions to establish a cybersecurity program with written policies and procedures, designate a chief information security officer and meet a number of additional requirements including annual testing, risk assessments and periodic reviews of access privileges. The department did not specify what the revisions to the proposal would entail.

NYDFS received significant pushback on the proposal from bankers and other industry stakeholders, including ABA. Many cited the proposal’s “one-size-fits-all” approach, noting that requirements do not take into account variations in the business models, IT system structures or risk profiles of the institutions they affect. Other concerns include a lack of harmony between the proposal and federal regulations, onerous reporting requirements and the high costs of compliance.

The department is expected to issue its revisions to the proposal on Dec. 28 with a 30-day comment period. The revised rules would be effective March 1. For more information, contact ABA’s Denyette DePierro.