New York state banking regulators Wednesday issued a revised draft of cybersecurity rules for the financial institutions they oversee — addressing several issues that had raised industry concerns.
The new draft is slated to go into effect Mar. 1, after a 30-day comment period ends Jan. 28, according to a statement from Department of Financial Services Superintendent Maria Vullo. The regulations would be the first of their kind in the U.S.
“This updated proposal allows an appropriate period of time for regulated entities to review the rule before it becomes final and make certain that their systems can effectively and efficiently meet the risks associated with cyber threats,” said Vullo.
The new draft replaces an earlier proposal that was scheduled to come into force Jan.1, and had caused industry representatives to complain at a recent state assembly hearing. Since they cover New York, the new rules will have outsized national and international effects. The state is home to outposts of — and therefore can regulate — every major financial institution in the world.
The publication of the revised draft fulfills an undertaking the DFS made last week, when the agency said it was revising its original proposal after criticism from industry of a one-size-fits-all approach.
One close observer of the debate over the rules praised the DFS for meeting industry concerns.
“It’s clear that New York State took the public’s concerns seriously, ” said David Damato, chief security officer at cybersecurity company Tanium, which numbers several large banks among its customer base.
“They’ve gotten rid of the one-size-fits-all approach that hampered the original regulations,” he said of DFS, “by recognizing that each bank should tie their cybersecurity approach to their individual risk assessment.”
He said DFS had also acknowledged “that reporting every single incident — even unsuccessful [attacks] — would have been unfeasible for large banks that see thousands of attempted intrusions every day.”