Key takeaways

• The New York Department of Financial Services has issued a second-round draft of its proposed cybersecurity regulation, subject to a new notice and comment period and now slated to go into effect on March 1, 2017.
• The new draft makes modest but meaningful changes towards a more risk-based and less prescriptive approach, maintaining the same broad range of cybersecurity requirements but building in some flexibility within most sections in response to industry comments.
• Covered Entities will now have somewhat more latitude to design and execute a cybersecurity program based on risk assessments of their own circumstances, including greater flexibility with respect to the use of encryption, the supervision of third-party service providers, the reporting of cyber incidents to DFS, and the schedule for compliance with the regulation.