Accept All Cookies
As of August 28, 2017, insurance companies, banks, and other financial services companies regulated by the New York Department of Financial Services (“DFS”) must comply with an initial wave of new cybersecurity requirements intended to protect customer data, including maintaining written cybersecurity policies and procedures, designating a Chief Information Security Officer, and providing notice to the DFS of certain cybersecurity events.1 Going forward, additional rules will be phased in between the first quarter of 2018 and the first quarter of 2019. Once fully implemented, these “first-in-nation” cybersecurity rules will require not only the adoption of comprehensive cybersecurity programs intended to protect sensitive and confidential data from theft or destruction by cybercriminals, but also the imposition of cybersecurity risk management programs on third party service providers.2
The new rules apply to “Covered Entities,” which include natural persons or businesses “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization” under New York’s banking, insurance, and financial services laws.3 There are, however, certain exceptions and exemptions from the rules, including:
As of August 28, 2017, Covered Entities must comply with the following provisions:
Additional requirements under the DFS rules will become mandatory over the course of the next two years, including obligations to certify compliance and mandates for Covered Entities to adopt specific technological solutions for cybersecurity, such as two-factor authentication. Relevant dates include:
Cadwalader has created a brochure setting forth the relevant compliance deadlines, available by clicking here.
DFS Commissioner Maria Vullo has declared cybersecurity to be a high priority, vowing that “[r]egulated entities will be held accountable” for failing to safeguard customer information.6 Failure to comply will place Covered Entities – and, potentially, their employees, managers, and directors – at risk of enforcement actions and penalties. As a result, insurance companies, banks, and other financial services companies regulated by the DFS should consult with counsel regarding their cybersecurity programs in light of these strict new rules.
1 See New York Department of Financial Services, Cybersecurity Requirements for Financial Services Companies (Mar. 1, 2017), 23 N.Y.C.R.R. Part 500, available at http://www.dfs.ny.gov/legal/regulations/adoptions/dfsrf500txt.pdf.
2 See Cadwalader Clients & Friends Alert, New York State Releases Final “First-in-Nation” Cybersecurity Rules (Feb. 28, 2017), available at http://www.cadwalader.com/uploads/cfmemos/4944e3e468c5f24b20e5f3c7e07135a0.pdf.
3 See 23 N.Y.C.R.R. Part 500 § 500.01(c).
4 See New York Department of Financial Services, Frequently Asked Questions Regarding 23 NYCRR Part 500 (updated Sept. 6, 2017), available at http://www.dfs.ny.gov/about/cybersecurity_faqs.htm.
5 See id.
6 See Press Release, Governor Cuomo Announces Proposal of First-in-the-Nation Cybersecurity Regulation to Protect Consumers and Financial Institutions (Sept. 13, 2016), available at http://www.dfs.ny.gov/about/press/pr1609131.htm.