NY DFS Cybersecurity Regulations Delayed Several Months: We hate to say we told you so … but we will anyway.
According to an article in Reuters — Exclusive: NY Financial Regulator to Delay Cyber Security Rules, the New York State Department of Financial Services is going to publish an updated version of its cybersecurity rules by the end of December and then delay implementation until March 1, 2017, after the public review period has concluded.
It would appear that someone in Albany is reading our blog (well possibly not, but we occasionally enjoy feeling self-important) and based on our analysis has decided to postpone the implementation of the NY DFS Cybersecurity Regulations which we (and countless others) blasted in the following posts: Proposed Department of Financial Services Regulations (“DFS”), “N.Y. Regulators Consider Cybersecurity Requirements for Banks and Insurers”, “New York: Proposed Regulations for Cybersecurity come up Short”, and Opinion: Proposed NY Cybersecurity Regulations — Not Great but better than nothing? This topic was also covered by Judith Germano’s article — Proposed NY Cybersecurity Regulation: A Giant Leap backward? which appeared in Forbes.
Hopefully, this will give lawmakers in Albany as well as legislators across the nation ample time to consider the model cybersecurity framework that is currently being developed by a task force of U.S. state insurance regulators, according to the article. Or perhaps they will turn to the National Institute of Standards and Technology (“NIST”) which has put some effort into building cybersecurity frameworks. Certainly, the last thing we need are more knee-jerk feel-good reactions to cybersecurity which do nothing to tackle the real issues and are akin to a band-aid approach where perhaps surgery is the wiser course of action.
So Happy Holidays to the Banks and Insurers within NY; hopefully this last-minute reprieve is followed by a common-sense holistic approach to cybersecurity hygiene and not simply more political rhetoric. Let’s be very clear on this, cybersecurity is an extremely important issue facing the public-sector, the private-sector, as well as individuals. We need action but first we need an overall strategy to ensure that the tactics developed provide a complete and comprehensive framework and aren’t just a patchwork cobbled together by individual regulatory fiefdoms.