New York Becomes First State to Propose Mandatory Cybersecurity Regulations for Private Financial Institutions


By: Kacie L.Manisco 

The New York State Department of Financial Services (“DFS”) recently announced proposed regulations that would require banks, insurance companies and other financial institutions to establish programs and policies for responding to cyberattacks and data breaches. The regulations are sweeping and would not only affect New York-based companies, but also financial institutions that conduct business in New York or that have customers who are residents of New York. This is reportedly the first time that a state or federal regulatory agency is seeking to implement mandatory cybersecurity rules for private institutions.

Among other detailed requirements, the new regulations would mandate that financial services entities implement a comprehensive cyber security program and a written cybersecurity policy. Companies will also be obligated to expand their C-level officers to include a Chief Privacy Officer. The rules additionally outline extensive requirements for the hiring and oversight of third-party vendors. Financial services institutions that enable their vendors to access nonpublic information will now have to establish minimum cybersecurity practices for vendors, engage in risk assessment, and conduct periodic assessment of vendors to verify that their cybersecurity practices are adequate.

The regulations further mandate that covered entities notify the DFS of any cybersecurity event that “has a reasonable likelihood” of impacting the entity’s “normal operation” or any nonpublic information within 72 hours of the breach.  Companies must also annually certify compliance with the regulations, and “maintain for examination . . . all records, scheduling and data supporting” the certification.

The proposal is nearing the end of a 45-day public comment period, and the new regulations could take effect as soon as January 1, 2017. While larger financial institutions presumably already have similar policies in place, these regulations could pose a challenge for smaller companies that are less equipped to implement detailed and extensive cybersecurity programs in such a short period of time. If your company falls under the mandates of these new regulations, please contact one of our Cyber Liability, Data Security & Privacy practice group attorneys for more information about developing a compliant


New York Becomes First State to Propose Mandatory Cybersecurity Regulations for Private Financial Institutions

Insurance Claims Arising Out Of Halloween Festivities

CFPBs Unilateral Power Structure Held Unconstitutional

Fair Pay And Safe Workplaces Executive Order Enjoined (in part), For Now

Learn more about FMG

CGL and Business Liability

Commercial and Complex Litigation

Construction and Design Law

Financial Services and Securities

Insurance Coverage & Bad Faith

Government Law

Labor and Employment Law

Professional Liability / Errors and Omissions

Freeman Mathis & Gary, LLP
100 Galleria Parkway
Suite 1600
Atlanta, Georgia 30339-5948

Tel: 770.818.0000 / Fax: 770.937.9960

Copyright © 2016 Freeman Mathis & Gary, LLP Click here to print the article.