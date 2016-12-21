New York's financial regulator will delay an
anticipated Jan. 1 deadline for banks and insurers doing
business in the state to comply with controversial cyber
security rules, a person familiar with the matter said.
The regulator, the New York State Department of Financial
Services, will publish a revamped version of its cyber security
rules in the New York State Register on Dec. 28, the person
said.
The new effective date, following a public review period,
will be March 1, 2017, the person said.
Once finalized, they will be the first rules of their kind
in the United States by any state or federal agency, the
regulator has said.
Banks and insurers have been fighting for an extension of
the compliance deadline and other changes since New York
Governor Andrew Cuomo issued the long-anticipated proposed cyber
security regulations in September.
The New York agency regulates state-chartered and foreign
banks licensed to operate in the state, including Goldman Sachs
Group Inc, Barclays Plc and Deutsche Bank AG
, and all insurance companies that do business in the
state.
On Monday, banking and insurance industry representatives
expressed their concerns about the rules in a hearing before New
York state lawmakers. Among their objections: The rules did not
distinguish between small and large financial institutions and
would possibly conflict with future U.S. government cyber
security rules.
The New York regulator received more than 150 letters from
banking and insurance industry groups, among others, in response
to the cyber security plan.
Other changes to be included in the revised rules are
unclear.
The planned regulations, in the works since 2014, followed a
series of high-profile hackings of U.S. companies and three
surveys by the regulator about cyber security programs at a
total of nearly 200 companies under its watch.
One report the regulator issued last year revealed that a
third of 40 banks it surveyed did not require outside vendors to
notify them of data breaches, which could compromise bank data.
A task force of U.S. state insurance regulators is also
developing a model cyber security law, which individual state
legislatures could ultimately choose to adopt.
Model laws, which cover a variety of subjects, typically
lead to more uniformity among state laws. But model laws first
must be finalized and approved by organizations developing them
before being considered by state lawmakers.