Key Notes:

  • New York’s Department of Financial Services has proposed a comprehensive regimen of cybersecurity requirements, scheduled to go into effect in January 2017, that may serve as the model for legislation at the state and federal levels.

The New York State Department of Financial Services has proposed an expansive set of cybersecurity regulations that would apply to state-regulated banks, insurance companies and other financial services institutions, and to third-party vendors who have access to their systems or certain data. The proposed regulations are viewed as the most comprehensive set of governmental cybersecurity directives to date and may serve as the model for similar legislation at the state and federal levels. The regulations, contained at 23 NYCRR 500, are now in the midst of a 45-day comment period and are scheduled to go into effect January 1, 2017. Under the proposed regulations, all state-regulated banks and insurers would be required to develop comprehensive data and system protection policies, create an immediate response plan to address a breach, conduct penetration testing and vulnerability assessments, appoint a chief information security officer, assess their cyber vulnerabilities annually, and submit to the Department of Financial Services an annual certification of compliance.

Specifically, the proposed regulations require detailed cybersecurity policies and programs (Sections 500.2 and 500.3) that must be reviewed and approved at the board level. They also contain a specific disclosure requirement: a company would have 72 hours to notify the Department of Financial Services of “any material risk of imminent harm relating to its cybersecurity program” (Section 500.17). The regulations also extend beyond the covered financial institutions and insurers to any vendor with access to information systems or data (Section 500.11). Limited exemptions exist for entities that fall below certain revenue, asset and/or customer thresholds.

While New York Governor Andrew Cuomo presented the regulations as an important “first in the nation” structure for regulation of cyber issues, opponents are primarily concerned about inconsistencies among federal and other states’ regulations and the burden of adhering to multiple layers of regulations and disclosure requirements.