New York state’s financial regulator on Wednesday revised a proposal for the nation’s first cyber security rules for banks and insurers, loosening some security requirements and delaying implementation by two months to March 1.
The rules from the New York State Department of Financial Services are being closely because they lay out unprecedented requirements on steps that financial firms must take to protect their networks and customer data from hackers and disclose cyber events to state regulators.
“Many organizations are going to have a lot of work to do to come into compliance with these revised regulations,” said Jed Davis, a partner with law firm Day Pitney and former U.S. federal cyber crimes prosecutor.
The state revised the rules in response to more than 150 comment letters on its initial proposed regulations. Industry representatives voiced their complaints to state lawmakers at a hearing last week.
The Department of Financial Services responded by easing some timelines and requirements, including standards for encrypting data and authenticating access to networks.
The new draft also gives firms more time to comply with the rules, expanding the transition period from six months to as much as two years.
The agency said it would finalize the rules after a 30-day public comment period.
“New Yorkers must be confident that the banks, insurance companies and the other financial institutions that they rely on are securely handling and establishing necessary protocols that ensure the security and privacy of their sensitive personal information,” Financial Services Superintendent Maria Vullo said in the statement.
Reuters first reported on the agency’s plan to delay the regulations last week.
(Reporting by Jim Finkle in Boston; Editing by Richard Chang and Lisa Shumaker)