Cybersecurity Regulation Finalized

February 16, 2017

Governor Cuomo has announced that the Cybersecurity Regulation under the jurisdiction of the Department of Financial Services (DFS) is finalized and will take effect on March 1, 2017. The regulation will be published on that date in the Department of State Register.

The text of the regulation is available here.

The final rule does not include many changes from the previously revised proposal. However, the Business Council was pleased to see that its advocacy for a carve out for entities that do not actually maintain information systems and personal data and for institutions such as our colleges and universities that are certified under the Insurance Law to offer charitable annuities to donors were added to the Exemption provisions of the final regulation §500.19 (d) (f).

Many issues, including compliance with the 72 hour notice to the superintendent of a cybersecurity event (a defined term §500.01(d)) will continue to be a challenge for institutions. If the Cybersecurity Event impacting the Covered Entity is required to be given to any government body or where the event has a reasonable likelihood of materially harming any material part of the normal operations of the Covered Entity then notice is required. The DFS rejected arguments that current statute provides sufficient notification of any breach.

Staff is continuing to review the final regulation. Please contact Lev Ginsburg with any questions or concerns.