Articles & Alerts

Follow the Bouncing Ball: Newly Revised Cybersecurity Regulations Scheduled for March 1 in New York

April 12, 2019

Newly revised cybersecurity regulations for financial service companies in New York are scheduled to take effect March 1, 2017. The effective date for the new rules follows a two-month delay, as the New York State Department of Financial Services (“NYDFS”) made changes to the proposed regulation due to industry concerns.

Whatever specific date pans out, the proposed regulation would impose new, rigorous cybersecurity requirements on banks, consumer lenders, money transmitters, insurance companies and certain other financial service professionals (“Covered Entities”) doing business in the Empire State. Leading up to the new law taking effect, NYDFS sought to address some of the financial services industry’s concerns about the cybersecurity regulation; the foremost concern among them that the law took too much of a “one-size-fits-all” approach.

The NYDFS clarified that the specific obligations of a “Covered Entity” under the law’s requirements would be based on “Risk Assessment.” However, the NYDFS stressed that this flexibility is not intended to allow a Covered Entity to employ a “cost-benefit analysis” approach to cybersecurity.

Per the proposed revisions with regard to Risk Assessment, here are a few things to keep in mind:

  • Audit trail systems are only required to the extent applicable and should be based on the Risk Assessment
  • Limitations on user access privileges to systems that provide access to “Nonpublic Information” should be based on the Risk Assessment
  • The required components of policies and procedures regarding the security of systems and information accessible to, or held by, third parties will depend on the applicable facts and the Risk Assessment

The NYDFS also added several new exemptions (or partial exemption) in the proposed regulations, which include but are not limited to a Covered Entity that has fewer than 10 employees, independent contractors or less than $5 million in gross annual revenue each of the past three fiscal years.

To read the proposed regulation, please click here.

Cybersecurity is a fluid situation taking up an increasing amount of oxygen for the incoming Trump administration and corporate America alike. Whatever new twists and turns for the New York State law, the overall objective for financial service companies operating in New York is to maintain a robust cybersecurity program and a written cybersecurity policy.

A 30-day comment period runs until Jan. 27, 2017. Stay tuned.

For more information, contact your Anchin relationship partner or Jeffrey I. Rosenthal, Partner-in-Charge of Anchin’s Financial Services Practice at 212.840.3456.