The New York State Department of Financial Services (DFS) has updated its proposed cybersecurity regulations to provide businesses more reporting flexibility.
Under the new proposal, DFS is giving organizations 72 hours to report a breach after the time it recognizes that a breach occurred. In the original version of the regulation, businesses were required to report a breach within 72 hours of the actual occurrence.
At the time the proposed rule was announced, DFS was adamant that it would give companies leeway to assess their own risks. “DFS designed this groundbreaking proposed regulation on current principles and has built in the flexibility necessary to ensure that institutions can efficiently adapt to continued innovations and work to reduce vulnerabilities in their existing cybersecurity programs,” said DFS Superintendent Maria T. Vullo in September. “Regulated entities will be held accountable and must annually certify compliance with this regulation by assessing their specific risk profiles and designing programs that vigorously address those risks.”
Nevertheless, the regulator’s initial proposal received criticism from some industry groups for being too difficult to implement, noted The Wall Street Journal. For example, the American Insurance Organization argued that the six-year data retention period mandated by the original rule would create a stockpile of data for hackers to zero in on. DFS has now reduced that period slightly to five years.
Brad Deflin, founder of Total Digital Security and a speaker at the 2016 AFP Annual Conference, doesn't see this move by DFS as easing, but rather a collaborative effort among the public and private sectors to get a very difficult subject right. “For example the adjustment to the 72-hour rule is realistic and aligned with seeking a position to ‘respond’ versus ‘react’, which is crucial in the aftermath of a breach,” he said. “Unless the breach activity is actually witnessed, there is not much if any of a ‘crime scene’ to work from and report without a period of forensics and evaluation. I’m sure the DFS wants a degree of integrity to the data they collect and additional time can help in this regard.”
The revised rule will be finalized following another comment period, this one for 30 days.
The proposed rule would be one of the first in the United States to require banks, insurance companies and other financial services institutions regulated by DFS to establish and maintain a cybersecurity programs and appoint chief information security officers (CISOs). However, following a 45-day comment period, the regulator has decided to move the deadline back to March 1, 2017, rather than this month.