New York Becomes the First State to Propose Mandatory Cybersecurity Regulations for Private Financial Institutions


By: Kacie L. Manisco 

The New York State Department of Financial Services (“DFS”) recently announced proposed regulations that would require banks, insurance companies and other financial institutions to establish programs and policies for responding to cyberattacks and data breaches. The regulations are sweeping and would not only affect New York-based companies, but also financial institutions that conduct business in New York or that have customers who are residents of New York. This is reportedly the first time that a state or federal regulatory agency is seeking to implement mandatory cybersecurity rules for private institutions.

Among other detailed requirements, the new regulations would mandate that financial services entities implement a comprehensive cyber security program and a written cybersecurity policy. Companies will also be obligated to expand their C-level officers to include a Chief Privacy Officer. The rules additionally outline extensive requirements for the hiring and oversight of third-party vendors. Financial services institutions that enable their vendors to access nonpublic information will now have to establish minimum cybersecurity practices for vendors, engage in risk assessment, and conduct periodic assessment of vendors to verify that their cybersecurity practices are adequate.

The regulations further mandate that covered entities notify the DFS of any cybersecurity event that “has a reasonable likelihood” of impacting the entity’s “normal operation” or any nonpublic information within 72 hours of the breach.  Companies must also annually certify compliance with the regulations, and “maintain for examination . . . all records, scheduling and data supporting” the certification.

The proposal is nearing the end of a 45-day public comment period, and the new regulations could take effect as soon as January 1, 2017. While larger financial institutions presumably already have similar policies in place, these regulations could pose a challenge for smaller companies that are less equipped to implement detailed and extensive cybersecurity programs in such a short period of time. If your company falls under the mandates of these new regulations, please contact one of our Cyber Liability, Data Security & Privacy practice group attorneys for more information about developing a compliant plan.