State Regulatory Developments

New York Department of Financial Services Issues Revisions to Proposed Cybersecurity Regulation

Recently, the New York Department of Financial Services (NY DFS) issued the first state regulatory code requiring financial services companies to comply with certain cybersecurity standards. The new regulation imposes minimum cybersecurity standards designed to promote the protection of customer information as well as the information technology systems of regulated entities. In December, the NY DFS issued revisions to its proposed regulation, including moving the effective date to March 1, 2017.

The new regulation requires that each financial services entity under the supervision of the NY DFS create and maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of the entity’s information systems. In addition to the program, entities must have a “risk assessment” that is able to accurately and rapidly detect and alert the financial services institution to a potential cyber-attack.

Beyond moving the effective date to March 1, 2017, the December update to the regulation includes the following items:

  • Certain elements of the regulation are intended to be risk-based and tied to above-mentioned “risk assessment.” The NY DFS does not want the risk assessment to be used as a cost/benefit means of identifying acceptable losses. Rather the intention of the regulation is to motivate the entities to create a robust cybersecurity program and policy and police it vigorously for “cyber events.”
  • The definition of “nonpublic information” was revised and changed what types of personally-identifiable information will be considered “nonpublic information.”
  • While entities must have an individual who either is, or fulfills the responsibilities of a “Chief Information Security Officer,” an entity need not make a new hire or exclusively-designate an individual for the CISO role. This means that while a company must have a “Chief Information Security Officer,” the person who fills that role may also have other duties.
  • There are several limited exemptions to the regulation, including one for covered entities that do not control, generate, or receive nonpublic information and another for small covered entities.

The implementation will be staggered, with a general 180 day period from the March 1 effective date to allow entities to comply with the requirements of the new regulation, such as hiring a CISO, putting a risk-management system in place, and ensuring data security standards are compliant. Beyond that, there are additional periods of either 12, 18, or 24 months for compliance with certain specified sections of the regulation.