This is the first installment in a three-part series examining the New York State Department of Financial Services (“DFS”) new cybersecurity regulation. The Patterson Belknap Privacy and Data Security Team has studied the regulation, its legislative and regulatory underpinnings, and practical consequences.
In our first post, we provide an overview of what financial institutions, insurance companies, and their boards of directors should expect—and begin to prepare for—when the DFS regulation goes into effect early next year. Institutions covered by the regulation will have 180 days to implement its requirements. Here, and in upcoming posts, we identify priority issues and practical steps that board members, senior executives, in-house counsel and other stakeholders should begin to consider as the regulation is implemented.
The regulation is detailed, far-reaching—and in some respects—unprecedented. New York Governor Andrew Cuomo called the new rules a “first-in-the-nation regulation” designed to protect financial institutions and their consumers from cybercrime. For the more than 3,000 financial institutions and insurance companies affected, the regulation’s scope and requirements will require a fresh and in-depth look at their overall cybersecurity preparedness, governance and defenses.
The proposed rules cover organizations regulated by the DFS. Such institutions include any company operating with a “license” or “similar authorization” under New York’s “banking law, the insurance law or the financial services law.” Even many foreign and out-of-state branches and smaller financial institutions will be subject to the new DFS cybersecurity regime.
The requirements are substantial. Premised on the principle that cybersecurity is a core tenet of corporate governance, the regulation mandates—unlike any other state’s regulatory scheme—board-level engagement in an organization’s cybersecurity preparedness. That involvement includes annual board review of the company’s cybersecurity policies. Those policies, under the DFS rules, must also be reviewed and approved by a senior corporate officer.
Corporate governance is just the beginning. The DFS will effectively regulate all corners of an institution’s cybersecurity policies, procedures, and practices. The regulation will require companies to reevaluate and substantially enhance their day-to-day cybersecurity practices. For example, regulated institutions must:
- conduct quarterly testing of relevant systems;
- create, track and maintain vast troves of data to be leveraged in case of a cyber event;
- use multi-factor authentication for specified types of data and systems;
- encrypt all nonpublic information “both in transit and at rest”; and
- provide “regular cybersecurity awareness training sessions” to “all personnel.”
It will also require regulated entities to ensure that their third-party vendors operate under similar cybersecurity policies of their own.
COMING THIS WEEK:
We will post entries on this blog relating to two key aspects of the regulation: Corporate Governance and Third Party Obligations including those affecting law firms. While not meant to be comprehensive, our hope is that this series will be a useful resource for institutions and their boards in starting the process of implementing the new DFS cybersecurity regulations.