Cybersecurity and Data Privacy: A Proposed New York State Regulation Requires First-Of-Their-Kind Cybersecurity Requirements for Financial Services Companies

September 14, 2016

By: Michael D. Billok, Clifford G. Tsan, and Ryan P. Keleher

On September 13, 2016, New York Governor Andrew Cuomo announced that a first-of-its kind cybersecurity regulation has been proposed by the New York State Department of Financial Services (DFS) to further protect New York State from data breaches and cyberattacks.

The proposed regulation requires DFS-regulated financial services institutions, including, but not limited to, banks, insurance companies, money service businesses and regulated virtual currency operators, to do the following:

  • establish a cybersecurity program designed to ensure confidentiality, integrity and availability of information systems;
  • adopt a written cybersecurity policy setting forth policies and procedures for the protection of their information systems and nonpublic information;
  • designate a qualified individual to serve as a Chief Information Security Officer responsible for overseeing, implementing and enforcing the cybersecurity program and policy;
  • adopt policies and procedures designed to ensure the security of information systems and nonpublic information accessible to, or held by, third-parties; and
  • abide by a series of additional requirements to protect the confidentiality, integrity and availability of information systems.

Governor Cuomo said that "[t]his regulation helps guarantee the financial services industry upholds its obligation to protect consumers and ensure that its systems are sufficiently constructed to prevent cyber-attacks to the fullest extent possible."

The proposed regulation is subject to a 45-day notice and public comment period before its final issuance. The majority of the requirements in the proposed regulation are already suggested by the Federal Financial Institutions Examination Council, a panel of regulators including the Federal Deposit Insurance Corp., the Federal Reserve and the Office of the Comptroller of the Currency.

As this proposed regulation makes clear, New York State is becoming increasingly serious about imposing and enforcing requirements of financial institutions to ensure they are taking proper measures to protect New York State from data breaches and cyberattacks.

The full proposed regulation can be accessed at: http://www.dfs.ny.gov/legal/regulations/proposed/rp500t.pdf.

If you have any questions about this Information Memo, please contact Michael D. Billok, Clifford G. Tsan, Ryan P. Keleher or the attorney in the firm with whom you are regularly in contact.