Regulations Proposed by NY Department of Financial Services are a Significant Development for Regulated Entities … and Everyone Else

On September 13, 2016, New York Governor Andrew M. Cuomo announced new first-in-the-nation proposed regulations to protect against the ever growing threat of cyber-attacks in the financial services industry.

The proposed regulations, to be enforced by the New York State Department of Financial Services, would apply only to an entity regulated by the NY Department of Financial Services – from a multi-national bank to a “mom-and-pop” operation. However, the regulations are important for all companies to review and consider, regardless of their location or scope of operations, because the proposal represents an important step in the ongoing national dialogue about reasonable and necessary cybersecurity standards for all businesses.

If adopted in the present form, the proposed regulations would require a regulated entity to implement a variety of measures, including the following:

• establishing a cybersecurity program that identifies cyber risks, detects and responds to cybersecurity events, mitigates exposure in the event of an actual event, and restores normal business operations post event;
• implementing policies and practices to protect unauthorized access to or use of any “non-public information”;
• designating a qualified individual to serve as the organization’s Chief Information Security Officer;
• implementing due diligence policies and procedures to insure that third party vendors with access to any of the organization’s “non-public information” have appropriate data security practices;
• annual testing and assessment of the company-wide cybersecurity program; and
• employment and training of dedicated cyber security personnel, and training for all personnel on cybersecurity awareness.

Additional requirements include maintenance of an audit trail system to reconstruct transactions and log access privileges, limitation on access privileges, multi-factor authentication for individuals accessing internal systems, destruction of all “non-public information” no longer required to be retained for ongoing operations or by applicable law or regulations, and encryption of “non-public information” whether being held or transmitted.

The proposed regulations include components of various existing federal and state law requirements, as well as controls that are already recognized as “best practices” for data security. However, the breadth and scope of the proposed regulations will certainly present a myriad of compliance challenges for any covered entity.

The proposed regulations were published in the New York State Register on September 28, 2016, and will be subject to a 45 day notice and public comment period. If adopted, it is anticipated that the final regulations would take effect on January 1, 2017, with a 180-day period for implementation and compliance with the new requirements. We will continue to monitor the proposed regulations and report further developments as appropriate.