Business and Legal Insights

The New York Department of Financial Services (the “DFS”) recently announced a wide-reaching proposed cybersecurity regulation for the financial services industry (the “Proposed Regulation”).  The Proposed Regulation generally would apply to any institution supervised by the DFS, which ranges from multinational banks and life insurance companies to relatively small money transmitters.

The Proposed Regulation is the first of its kind in the United States, and other state and federal government entities are likely to issue their own cybersecurity regulations in the coming months and years. As the “first to market,” the Proposed Regulation may serve as the model for future regulations.

In a written statement, DFS Superintendent Maria Vullo characterized the Proposed Regulation as “groundbreaking,” and emphasized that “[r]egulated entities will be held accountable.”

Although most large financial institutions already have some cybsersecurity policies and procedures in place, industry advocates argue that the Proposed Regulation will require a significant outlay of costs and recourses. At a minimum, the Proposed Regulation presents additional regulatory exposure and potential liability.

The Proposed Regulation Requirements

The Proposed Regulation requires covered entities to create and maintain a written cybersecurity policy that outlines every aspect of its program and addresses how the entity complies with each of the requirements set forth in the Proposed Regulation. The policy must include an incident response plan. Covered entities will be required to name a Chief Information Security Officer, and to conduct annual penetration testing and quarterly vulnerability assessments.

Additionally, covered entities will be required to encrypt their “nonpublic information.” “Nonpublic information” is defined broadly to include any business-related information, information provided to a covered entity, healthcare information, and personally identifiable information.

Covered entities are also required to report to the DFS any attempt or attack “that has a reasonable likelihood of materially affecting the normal operation of the Covered Entity or that affects Nonpublic Information” within 72 hours after the entity becomes aware of the event.

Next steps involving the Proposed Regulation

Beginning in January 2018, the Chairman of the board or another senior officer (if there is no board) must certify in writing the entity’s full compliance with the Proposed Regulation. Although not expressly mentioned in the Proposed Regulation, the individual who signs the certification may be exposed to personal liability if the entity ultimately is found to be noncompliant.

The Proposed Regulation is subject to a forty-five day notice and comment period, following its September 28, 2016 publication in the New York State register.