On March 1, 2017, New York’s Department of Financial Services (“NYDFS”) implemented a comprehensive cybersecurity regulation aimed at financial institutions (the “Cybersecurity Regulation”). NYDFS has already brought a number of enforcement actions under the regulation resulting in multi-million dollar consent orders, and with the proposed amendments to the regulation that were introduced on July 29, 2022, the prevalence of these types of actions will likely continue.
At bottom, the Cybersecurity Regulation requires any company that is licensed under NYDFS—such as money transmitters and recipients of bit-licenses—to implement and maintain a comprehensive written cybersecurity program that is designed to protect the company’s information systems and any non-public personal information stored on those systems. Among its many requirements, the Cybersecurity Regulation mandates that companies carry out and document a periodic risk assessment of their cybersecurity program, and establish policies and procedures governing information security, data governance, asset inventory, access controls, disaster recovery, incident response, and third party service provider management. In addition, the Cybersecurity Regulation requires companies to appoint an individual responsible for oversight of the cybersecurity program, appropriately staff and train its cybersecurity roles, implement encryption or other controls, and perform annual penetration tests on its environment.
To date, NYDFS has demonstrated a commitment to aggressively enforce the Cybersecurity Regulation, including a recent $30M settlement with a crypto company, a $5M settlement with an international cruise line, and a $3M settlement with a life insurance company. With proposed amendments to the Regulation recently announced, high dollar enforcement actions will likely only increase.
In July of 2022, the NYDFS’s Superintendent announced that NYDFS was considering several amendments to the Cybersecurity Regulation. NYDFS posted the amendment during a public comment period that ran from July 29 to August 18, 2022. If adopted as presently drafted, the amendment would implement a number of key changes, including those summarized below.
Key Takeaway – Companies operating in the financial sector that are subject to NYDFS jurisdiction should begin preparing for these changes now. Although the proposed amendment may be modified to some extent prior to becoming final, the thrust of these new requirements will likely remain the same, and NYDFS has demonstrated that it is ready and willing to bring enforcement actions against perceived violators. To prepare for these changes, companies subject to NYDFS oversight should review their cybersecurity policies, procedures, and practices with counsel and begin prioritizing compliance efforts.