The New York State Department of Financial Services (NYDFS) recently promulgated cyber regulations for financial institutions that are likely to increase the risks to directors & officers (D&Os), resulting in an increase in claims.
The NYDFS regulations create new obligations for financial institutions, including adopting written policies and procedures, designating a chief information security officer (CISO) and conducting routine risk assessments of security. D&Os will be responsible for overseeing compliance with these rules. Failure to comply could result in fines and penalties, as well as litigation.
It is imperative that D&Os take reasonable steps to ensure that their financial institutions are in compliance with the NYDFS regulations, including active assessment of security policies and procedures. Exercises such as tabletops should be conducted to identify vulnerabilities so that corrective actions may be taken to secure data.
Plaintiffs’ law firms have aggressively pursued businesses by filing class action lawsuits arising out of data breaches. To date, plaintiffs have not obtained widespread support for such claims. However, the new NYDFS regulations may provide a potentially viable foundation for plaintiffs to have standing against D&Os for failing to have their financial institution in compliance.
Insurers should be aware of the additional risk to D&Os created by the NYDFS regulations and the impact they could have on losses. In an effort to mitigate the risk, insurers should update D&O applications to confirm that the financial institutions and other industries they are underwriting are in compliance with the regulations so that the risk may be rated accordingly.
Further, it is generally thought that regulations such as those instituted by the NYDFS may be the first of many steps taken by states to ensure that data is properly managed and secured by financial institutions. Unlike New York, other states may enforce more stringent regulations that impose stricter requirements on financial institutions, further increasing the possibility of a violation and litigation. Financial institutions and insurers should continue to keep abreast of such regulations to ensure that the appropriate measures have been implemented to mitigate such exposures.