The New York Department of Financial Services ("NYDFS"), which is responsible for the regulation of banks, insurers and other financial institutions that do business in New York, is a leader in the United States in putting more responsibility for cybersecurity on the entities it regulates and their respective directors and officers.
New rules developed by the NYDFS under 23 NYCRR Part 500 (the “Regulation”), which went into effect on March 1, 2017, require such entities within DFS’ regulatory jurisdiction to implement specific cybersecurity protocols. These include the enactment of a comprehensive cybersecurity policy, a written incident response plan which reports breaches within 72 hours to the NYDFS, and security policies for third-party service providers who access nonpublic information. The new rules also put more responsibilities on directors and officers, requiring not only the designation of a chief information security officer ("CISO"), but also board certification to the NYDFS of compliance with the regulations.
The Regulation requires the CISO to prepare an annual report to the board of directors of the regulated entity regarding its cybersecurity program. The report must: i) specifically address the identification of material cyber risks to the regulated entity, including any past material cybersecurity event and ii) report on any penetration testing and vulnerability assessments. The Regulation also requires reporting on multifactor authentication and cyber awareness training for all personnel.
Further, the first compliance certification from the directors and officers of covered entities must be submitted to the NYDFS by February 15, 2018. The Regulation requires that a so-called “Certification of Compliance” be signed by the chairman of the board of directors or a senior officer, who certifies that the regulated entity's cybersecurity program has been reviewed and that its cybersecurity protocol complies with the New York state law.
Threats from hackers, thieves, third-party contractors, competitors and employees, as well as inadvertent misuse or loss of data, present potentially catastrophic financial and reputational risks to companies today. Even the most vigilant company can be a victim of a data breach or other cyber loss. With the enactment of this Regulation, New York is providing clear notice that it intends to hold directors and officers more responsible for ensuring that their companies are undertaking more active assessment of their own security policies and procedures. Even for those directors and officers whose companies are not subject to this Regulation, the responsibilities outlined in the enacted rules set forth a general standard of care that they too would be well-advised to consider and follow.
This article was written by Jonathan Meer at Wilson Elser Moskowitz Edelman & Dicker LLP in partnership with DAC Beachcroft LLP.