The state Department of Financial Services’ new cybersecurity regulations that took effect starting Wednesday are touted as a protective shield for consumer data.
The new rules require banks, insurance companies and other financial services institutions regulated by the department to initiate cybersecurity programs that meet the new standards.
The regulations require adequately funded and staffed programs, overseen by qualified managers, with minimum standards for controlling access to systems, encryption of data and testing.
To look closer at the new regulations, we sat down with Paul Greene, a partner at Harter Secrest & Emery LLP and head of the firm’s privacy and data security practice, who has analyzed the regulations and the comments submitted to the state agency throughout the public comment period.
The new rules are “widely seen as the most restrictive set of cybersecurity regulations that are out there,” Greene said.
The first draft of the regulations were introduced in September, but the regulations were revised in response to some 150 comments received.
“They were very broad, sweeping new regulations and they resulted in a lot of pushback from the industry,” Greene said.
Because the rules apply to Wall Street, they will have a far-reaching impact.
One of the differences between the first draft of the regulations and the final version: 80 to 90 colleges and universities that were initially covered because they issue charitable gift annuities to donors are now exempt.
The new regulations will be phased in over the next two years.
“I do think it’s going to have a big effect. The question is whether it’s the right effect,” Greene said.
One of most aggressive aspects of the new regulations is the requirement a company must notify the state agency within 72 hours of a determination that a cybersecurity event has occurred with a reasonable likelihood of causing material harm to normal operations.
But deciding whether an event meets those particular criteria is a “tough determination,” Greene said.
3/3/2017 (c) 2017 Rochester Business Journal. To obtain permission to reprint this article, call 585-546-8303 or email firstname.lastname@example.org.