New York’s Cybersecurity Regulations For Financial Institutions Take Effect

King & Spalding

On August 28, 2017, regulations first announced by the New York Department of Financial Services (“DFS”) in September 2016 took effect, marking the start of the first compliance period for covered financial institutions operating in New York state. Banks, insurance companies, and other financial services firms regulated by DFS are required to have, among other things, a cybersecurity program in place to protect customers’ private data; a written policy on cybersecurity approved by the board or a senior officer; a Chief Information Security Officer and other qualified personnel to oversee and manage the program and cybersecurity risks; and an incident response plan to respond to and recover from material cybersecurity events.

The New York compliance requirements are the first cybersecurity regulatory scheme of their kind. “This day marks a significant milestone in protecting the financial services industry and the consumers they serve from the threat of cyber-attacks,” said DFS Superintendent Maria T. Vullo in a press release. “With cyber-attacks on the rise and comprehensive federal cybersecurity policy lacking for the financial services industry, New York is leading the nation with strong cybersecurity regulation requiring, among other protective measures, set minimum standards of a cybersecurity program based on the risk assessment of the entity, personnel, training and controls in place in order to protect data and information systems. ”

Financial institutions that suffer material breaches must notify DFS within 72 hours of discovering the intrusion. DFS has set up a secure portal through which covered entities can submit notices of reportable cybersecurity events. The portal has previously been active for institutions to submit notices of exemption from portions of the requirements.

Additional compliance requirements announced by DFS as part of this initiative will take effect in phases, with deadlines forthcoming. For example, the requirement that a board officer or senior compliance officer certify a company’s cybersecurity controls are adequate, potentially opening those individuals up to criminal liability if the controls are found lacking, is slated to take effect in February 2018.

King & Spalding’s Data, Privacy & Security Practice Group previously covered the requirements of the DFS cybersecurity regulations in a Client Alert published August 8, 2017.

Written by:

King & Spalding

King & Spalding on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.