New York State’s Department of Financial Services (DFS) has just released its revised first-in-nation proposed cybersecurity regulation. In formulating the revised proposal, DFS took into account the more than 150 comments it received with regard to its original proposal, which was released in September 2016. Although the new proposal maintains many of the requirements of the initial proposal, such as the requirements for a Cybersecurity Program, a written Cybersecurity Policy, and the designation of an individual responsible for the program’s implementation and oversight, the new proposal differs in a number of very significant ways, highlighted below:
DFS has retreated from the prescriptive approach it took in its original proposal. Under the new proposal, an entity’s Cybersecurity Program “shall be based on the Covered Entity’s Risk Assessment.”
DFS has deleted the requirements to identify the Covered Nonpublic Information stored by the Covered Entity and to identify its sensitivity.
There is a new requirement to address “asset inventory and device management” in the Cybersecurity Policy, while the requirement to address “capacity and performance planning” has been eliminated.
The Cybersecurity Policy must be approved by a Senior Officer or by the Board of Directors, but the requirement for annual review by the board or a senior officer …