Clock starts on cyber compliancePosted On: Mar. 6, 2017 12:00 AM CST
Financial institutions governed by New York’s new cyber security regulation will have numerous and perhaps confusing implementation deadlines, but many firms have already started down the compliance path.
“The companies knew ever since this was proposed that this was going to happen,” said Angela Gleason, senior counsel for the American Insurance Association in Washington.
In response to concerns about implementation time frames, the New York State Department of Financial Services added several transitional periods to its regulation.
But Ms. Gleason said there may still be some confusion on these transition periods. For example, companies are required to complete their risk assessments by March 1, 2018, but some elements of the cyber security program that would be driven by the risk assessments must be in place within 180 days.
“In a way, it essentially forces you to move up your risk assessment, but there is still some room for a longer transition period, which helps companies,” she said.
The department also reduced the retention provisions related to audit trails — designed to reconstruct material financial transactions sufficient to support normal operations and obligations, and detect and respond to cyber security events — to five years, or three years for certain records, from six years.
Concerns about the compliance time frames in the original proposal have been alleviated to some extent by the department’s adoption of the risk-based approach, said Kristina Baldwin, Albany, New York-based vice president of state government relations for the Property Casualty Insurers Association of America.
“But these are very comprehensive requirements, and in some cases the time frames for compliance are as short as 180 days,” she said. “There are concerns it may be difficult for companies to meet these deadlines.”