Guest Writer: Kim Phan and Roshni Patel with Ballard Spahr
The New York Department of Financial Services (NYDFS) issued new cybersecurity regulations that took effect on March 1, 2017. Governor Andrew Cuomo called them the "first-in-the-nation" rules to require cybersecurity protections for New York consumers against the growing threat of cyberattacks.
Many companies still ask how far the rules reach outside New York. They also ask whether the NYDFS approach will become the de facto national standard while the federal level stays quiet.
The rules define covered entities broadly. The term includes any individual or non-governmental entity that operates under a license, registration, charter, certificate, permit, accreditation, or similar authorization under New York banking, insurance, or financial services laws.
NYDFS expects covered entities to put specific technical measures in place. Those measures include hiring a Chief Information Security Officer (CISO), using multi-factor authentication, encrypting data, and running penetration testing. Covered entities must also report cybersecurity incidents to NYDFS within 72 hours.
This is a sharp break from the federal approach, which is generally risk-based. Early drafts of the NYDFS rules were even more prescriptive. After heavy criticism from the industry, the final rules let institutions tailor parts of their program to their own risk assessment.
Financial institutions need to move quickly toward the compliance deadlines. Covered entities should treat this as a board-level matter. Someone from the board or senior management must sign an annual certification confirming compliance. The first certification was due no later than February 15, 2018.
NYDFS urged every regulated institution that had not yet done so to adopt a cybersecurity program that meets the minimum standards in the rules.
Attorneys in Ballard Spahr's Consumer Financial Services and Privacy and Data Security groups advise on state and federal privacy and data security laws across the consumer financial services industry. They regularly help clients build and strengthen risk-based information security programs, including risk assessments and incident response plans.
Found This Useful? Let's Get You Set Up.
Start an application and an expert will tailor the next steps to your situation.