Guest Writer: Kim Phan and Roshni Patel with Ballard Spahr
The New York Department of Financial Services (“NYDFS”) has issued new cybersecurity regulations that went into effect on March 1, 2017. New York Governor Andrew Cuomo described the new regulations as the “first-in-the-nation” to require cybersecurity protections for New York consumers from the ever-growing threat of cyber-attacks.
Many companies continue to struggle with the question of how far the NYDFS regulations will reach outside of New York and whether the NYDFS cybersecurity approach will become the de facto national standard in the absence of further action on the federal level. Covered entities, as defined in the new regulations, include any individual or non-governmental entity operating under a license, registration, charter, certificate, permit, accreditation, or similar authorization under New York banking, insurance, or financial services laws.
Under the new regulations, NYDFS expects covered entities to implement highly specific technical measures as part of a cybersecurity program to address cybersecurity risks “in a robust fashion,” such as hiring a Chief Information Security Officer (“CISO”), multi-factor authentication, encryption, penetration testing, and heightened reporting of “cyber security incidents” to NYDFS within 72 hours. These state-level requirements differ dramatically from the risk-based approach generally taken on the federal level. Early versions of the NYDFS regulations were even more prescriptive, but in the face of harsh criticism from industry participants, the final regulations permit financial institutions to tailor certain aspects of their cyber security program to reflect the company’s own risk assessment.
Financial institutions will need to move swiftly in preparation for the upcoming compliance deadlines established under the NYDFS regulations. Compliance with the NYDFS regulations should be taken seriously by the highest level in companies that are considered covered entities as someone from a company’s Board or senior management will be required to sign an annual certification confirming compliance with these regulations – the first such certification must be submitted no later than February 15, 2018. NYDFS urges, “all regulated institutions that have not yet done so to move swiftly and urgently to adopt a cybersecurity program” that complies with the minimum standards set forth in the new regulations.
Attorneys in Ballard Spahr’s Consumer Financial Services and Privacy and Data Security Groups can provide guidance on how to ensure compliance with the full range of state and federal privacy and data security laws and regulations impacting the consumer financial services industry. We regularly advise clients on the development and enhancement of risk-based information security programs, including conducting risk assessments and crafting comprehensive incident response plans.