New York state’s financial regulator on Wednesday issued a revised proposal for the nation’s first cyber security rules for banks and insurers, loosening some security requirements and delaying implementation by two months to March 1.
The rules from the New York State Department of Financial Services are being closely watched because they lay out unprecedented requirements on steps that financial firms must take to protect their networks and customer data from hackers and disclose cyber events to state regulators.
“Many organizations are going to have a lot of work to do to come into compliance with these revised regulations,” said Jed Davis, a partner with law firm Day Pitney and former U.S. federal cyber crimes prosecutor.
The state revised the rules in response to more than 150 comments on its initial proposed regulations.
The New York Insurance Association in one letter called the regulation “too much of a ‘one size fits all’ rule” that was overly specific and too broad. A New York Bankers Association letter warned of unintended consequences that would “hamper efforts to protect the public and may defy its purpose of preventing cyber attacks.”
The revised regulations include easing some timelines and requirements, including standards for encrypting data and authenticating access to networks. They also provide more time for compliance, expanding the transition from six months to as long as two years.
The agency said it would finalize the rules after a 30-day comment period.
“This updated proposal allows an appropriate period of time for regulated entities to review the rule before it becomes final and make certain that their systems can effectively and efficiently meet the risks associated with cyber threats,” Financial Services Superintendent Maria Vullo said in a statement.
The American Bankers Association, a critic of the original draft, praised the revisions.
“Some good work has been done,” association Senior Vice President Doug Johnson said in a phone call. “Once we have in-depth conversations with our membership, there may still be some operational concerns we will want to express.”
Reuters first reported on the agency’s plan to delay the regulations last week.