By Jennifer Archie, Alan Avery, Serrin Turner, and Pia Naib

Dozens of financial institutions and trade associations have lodged emphatic objections with the New York State Department of Financial Services (NYSDFS) in response to the Department’s September 28, 2016 Notice of Proposed Rulemaking entitled “Cybersecurity Requirements for Financial Services Companies” (the Proposed Rules). As published for comment in the New York State Register, the Proposed Rules would impose expansive new cybersecurity requirements on entities under NYSDFS’ jurisdiction (and, through contract, would likely also impact service providers that process or store non-public information on their behalf). The Proposed Rules are considerably more prescriptive than cybersecurity guidance and standards promulgated by other financial regulators and, if adopted in their current form, would significantly ratchet up cybersecurity compliance obligations for affected institutions.

Interested parties were given the opportunity to provide feedback to NYSDFS on the Proposed Rules in a public notice-and-comment period that ended on November 14, 2016. The selected comments reviewed in this Client Alert cover a wide range of topics, but are animated by an overarching criticism that the Proposed Rules impose sweeping, categorical mandates as opposed to flexible, risk-based standards. The contemplated approach, the commenters warn, is at odds with well accepted principles of cybersecurity governance and would result in significant costs on financial institutions that are not justified by the cybersecurity benefits.

Recent reports indicate that, in light of the comments, the NYSDFS intends to modify the Proposed Rules and delay the effective date, which had initially been designated as January 1, 2017. How far NYSDFS goes toward modifying the Proposed Rules may signal where regulatory trends are headed in this area and how aggressively regulators may seek to exert pressure on businesses to incorporate specific policies and practices into their cybersecurity programs.

Read our full client alert: Financial Institutions Await Response to Concerns Over NYSDFS’ Proposed Cybersecurity Rules