A new mandate on financial services companies to establish broadsafeguards against cyberattacks is being pushed back by two months,New York state regulators said last month.

In amendments to the cybersecurity rules filed in September, theDepartment of Financial Services (DFS) said it was retaining thegeneral parameters of its requirements, despite negative commentsfrom trade groups and companies within the affected banking andinsurance industries.

"DFS believes that the proposed regulation effectively addressesthe required elements of a cybersecurity program at this time,along with DFS's overall supervisory authority," the agency said inan "assessment" of 150 public comments it received.

The revisions indicated that the department would delay theeffective date of the new regulation from Jan. 1 to March 1, givingthe affected companies 180 days, or until Sept. 1, to begincomplying. The original compliance date had been July 1.

The department did not change the date of when regulatedcompanies would have to submit a certificate of compliance to thedepartment — Feb. 15, 2018 — indicating that it was complying withterms of the cybersecurity protections. The agency altered its planin a few areas that public comments indicated were of most seriousconcern to regulated companies. In particular, they said they wouldallow companies more latitude to tailor their cybersecurity plansto the particular weaknesses that are reflected in the riskassessments that the state will require banks and insurers toperform.

Most of the negative comments included criticism that theproposal did not give companies enough flexibility to address areaswhere security risks to its records were most pressing.

The department also eased the reporting requirements when"cybersecurity events" occur. While still requiring companies tonotify them within 72 hours, the department said the mandate wouldapply only to incidents that companies concluded had a reasonablelikelihood of compromising confidential information.

The department said it would still require companies to filecopies of their updated security plans each year and regularlyupdate plans as the risk of threats demands.

It also preferred to continue with the parameters of the plan itadvanced in September, in answer to critics who said the stateshould harmonize its cybersecurity guidelines with those developedby other regulating entities such as the National Institute ofStandards and Technology, or Congress under the Gramm-Leach-BlileyAct.

"The department has been continually mindful of other standardsand approaches and believes that the revised regulation isappropriately consistent with the goal of setting minimum[cybersecurity] standards," a revised version of its proposedcybersecurity regulation published Wednesday by the New YorkDepartment of State explained.

The department said it was reworking its regulations to makeclear that companies will be required to designate a chiefinformation security officer, but not to hire a new employee tofill the position.

Edward McAndrew, a partner and cybersecurity expert at BallardSpahr in Washington, D.C., said Wednesday the revised regulationsreflect the department's willingness to compromise, particularlyover providing companies flexibility to tailor security programsaccording to what their risk assessments indicated need work."I think that's really important and it goes along way toward responding to the concern that this was aone-size-fits-all requirement," McAndrew said.

He said the narrowing of the reporting requirement to only thoseincidents that appear to have actually caused breaches of securitywill reduce the obligations of companies and the record-keepingresponsibilities of the financial services department.

McAndrew and Michael Gottlieb, a partner at Boies, Schiller& Flexner and a leader of the firm's privacy, cybersecurity andtechnology practice, agreed in separate interviews Wednesday thatthe implementation of the New York rules would probably promptother regulators to act.

"From the moment it goes into effect, the DFS cybersecurityregulation will raise the bar for U.S. cybersecurity compliancestandards," Gottlieb said. "Other regulators may follow suit withincreasingly specific and stringent requirements."

Aaron Tantleff, a partner at Foley & Lardner in Chicago whospecializes in cybersecurity issues, said that while he welcomedthe additional clarity and flexibility the DFS brought to the NewYork regulations, he doubted that the two-month delay to March 1will give companies much additional time to prepare for the newrules. Publication Wednesday of the revisions to its regulations,which are contained in Financial Services Law §§102, 201, 202, 301,302 and 408, started a new 30-day period for public comment.

DFS Superintendent Maria Vullo said in December that delayingthe effective date of the regulation should give all regulatedentities time to make sure their systems "effectively andefficiently meet the risks associated with cyberthreats."

Gov. Andrew Cuomo hailed the department's proposal in Septemberas the first of its kind in the nation and said he supported theinitiative.