The New York Department of Financial Services has modified its cybersecurity rule after financial executives registered a number of complaints at a hearing in Albany last week.
First proposed in September, the plan would have imposed a number of explicit requirements on credit unions and banks, including the appointment of a chief information security officer. Financial executives complained the rule would be too costly and not conform enough with existing federal regulations to be easily implemented.
As a result, the agency said Wednesday it updated the plan to reflect that feedback. The updated proposal still includes requirements for the chief information security officer, but the timeline for reporting and testing was eased somewhat. In addition, the new plan created additional exemptions for encryption and multi-factor authentication requirements, and staggered the implementation period for the final rule.
Institutions will have more time to notify the New York regulator of a cybersecurity incident, with a 72-hour window starting at the moment when the incident has been detected, instead of the moment the incident took place.
"This updated proposal allows an appropriate period of time for regulated entities to review the rule before it becomes final and make certain that their systems can effectively and efficiently meet the risks associated with cyber threats," said New York Superintendent of Financial Services Maria T. Vullo in a statement.
The New York regulator said it would propose a final rule after a 30-day period of public comment. "DFS will focus its final review on any new comments that were not previously raised in the original comment process," the statement said.
RJ Tamburri, communications director at the New York Credit Union Association, said the trade group did have counsel attend last week's hearing, noting that credit unions had previously filed comments on the initial rule.
NYCUA and the Credit Union National Association submitted a joint comment letter on the original proposal, which raised a number of concerns.
"Most notably, we expressed that the proposal was too prescriptive and took a one-size-fits-all approach to cybersecurity," Tamburri explained. "It didn't take into account the robust cybersecurity regulations and requirements that credit unions are already subject to."
Tamburri further said that his organization is still in the process of reviewing and analyzing the new proposed regulation, "but we do appreciate that the DFS has considered the many comments it received and issued this updated proposal."
The plan is slated to become effective March 1.
Palash Ghosh contributed to this report.
