CLIENT ALERT: New York’s New Cybersecurity Regulations - Nuts & Bolts


The risk of a cyber-attack is ubiquitous, and a cyber-event can result in legal and financial liabilities that can cripple an affected organization. Recognizing the ever growing threat of cyber-crime, the New York State Department of Financial Services (DFS) recently unveiled the Proposed Cybersecurity Requirements for Financial Services Companies, a proposed set of cybersecurity regulations for banks, insurers and financial institutions aimed to protect both institutions and individuals from cybersecurity events. Compliance with the regulations is mandatory. The regulations, which take effect January 1, 2017, seek to protect customer information as well as institutions’ information technology systems by requiring covered entities to assess their cyber risk, to implement programs and policies to address that risk, and to continually monitor these systems. This alert will cover the ins and outs of the new regulations including what you can do today.

Who’s Affected & What’s Protected?

The new regulations apply to Covered Entities, which means “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the banking law, the insurance law or the financial services law.” The regulations are designed to protect Non-Public Information, including business information, information provided by individuals while seeking a financial product or service or resulting from a related transaction, information created or derived from a healthcare provider, as well as information that can be used to trace an individual’s identify (e.g. social security, date of birth or even biometric records).

What Does My Business Need To Do To Comply?

Programs & Policies

Covered Entities must design a cybersecurity program to identify cyber risks and to develop defensive infrastructure to protect the Covered Entity’s systems and nonpublic information from unauthorized access. Covered Entities must also implement a cybersecurity policy that addresses certain specified areas including information security, access controls and identity management, business continuity and disaster recovery planning, vendor and third-party service provider management, as well as incident response. Cybersecurity policies must be reviewed by the board of directors or equivalent governing body at least annually.

To oversee and implement the programs and policies, Covered Entities must designate a Chief Information Security Officer (CISO) and employ sufficient cybersecurity personnel to manage their risk. Cybersecurity personnel must participate in regular training in order to stay abreast of changing cybersecurity threats and countermeasures. The CISO must report to the board or governing body biannually.

Each year, a Covered Entity must conduct a risk assessment of information systems that includes penetration testing as well as a vulnerability assessment of information systems. They must also maintain and implement audit trail systems that track and maintain data allowing for the complete and accurate reconstruction of all financial transactions necessary to detect and respond to a cybersecurity event.

Data Access & Protection

Access to nonpublic information and systems shall be limited solely to those individuals who require such access in order to perform their job responsibilities. Further, access of internal systems or data now requires multi-factor authentication – verification of at least two of three authentication factors including knowledge (e.g. password), possession (e.g. key or cell phone code) or inherence (e.g. fingerprint data). All nonpublic data must also be encrypted. Finally, Covered Entity policies must include procedures for the timely destruction of non-public information, once it is no longer necessary.

What About Third Parties?

Cybersecurity programs and policies must take into account Covered Entities transactions with third parties to ensure the security of nonpublic information. To that end, such policies and procedures must (1) address identification and risk assessment of third parties with access to information systems and nonpublic information, (2) require that third parties satisfy minimum cybersecurity practices, and (3) require annual periodic assessment of third party practices. Contracts with third party providers must, to the extent applicable, include certain provisions that require policies which are designed to minimize the risk of and effectively manage a cyber-event, including multifactor authentication, the use of encryption, and prompt notice to the Covered Entity in the event of a breach. This requirement is critical because it means that out of state organizations which conduct business with NY regulated entities will effectively have to comply with these regulations.

What Should I Do & When?

The regulations take effect January 1, 2017, and Covered Entities will have 180 days to comply. Therefore, it is essential that a Covered Entity – as well as those organizations that conduct business with Covered Entities – take action now.

The first step towards compliance is assembling the right team with the knowledge and experience to guide your company through this process. The critical members of the team include IT, the appropriate company representatives, as well as legal counsel who can ensure regulatory compliance. Legal counsel’s involvement will also allow for the attachment of the attorney-client privilege. For further information regarding compliance with these regulations, please feel free to contact any of the authors identified, here.

Get Updates By Email

Blog Contributors