By Laura Stavetski

 

On December 28, 2016, the New York State Department of Financial Services revised its proposed cybersecurity regulation for financial services companies. The proposal requires banks, insurance companies and other financial institutions regulated by the New York Department of Financial Services to establish a cybersecurity program and appoint a chief information security officer (“CISO”). As technology continues to evolve, the risk of hacking increases and companies across the country are taking steps to protect client information from potential security breaches.

The revised proposal attempts to provide financial services companies with more flexibility by simplifying some of the requirements and loosening up the reporting and timing requirements present in the original draft of the regulation. The regulation requires financial services companies to implement and maintain a written cybersecurity policy that must be approved by a senior officer or the board of directors. The revised proposal provides covered entities with an eighteen-month transitional period to create appropriate written procedures and to establish policies. However, the most notable addition to the proposed regulation is that all covered entities must perform “Risk Assessments” in order to determine how to structure the cybersecurity program. While the original proposal also incorporated a requirement for periodic Risk Assessments, the updated proposal requires that the Risk Assessment and cybersecurity program be based on the individualized aspects of the company and the specific risks that it faces.

The revised proposal also incorporates a change in the reporting requirements for cyber-attacks. The original proposal required companies to report cyber-attacks within seventy-two hours of the actual breach. Upon receiving comments, the Department of Financial Services ultimately decided to amend the proposal, which now requires that companies report cyber-attacks to the superintendent within seventy-two hours of determining that a breach occurred. Cyber-attacks that must be reported include events in which notice is required to be provided to any government body, self-regulatory agency, or any other supervisory body, and that have a reasonable likelihood of materially harming any party of the normal operations of the entity.

Governor Andrew Cuomo stated, “these strong, first in the nation protections will help ensure this industry has the necessary safeguards in place to protect businesses and clients from the serious and economic harm caused by these devastating cyber-crimes.” It is clear that New York will be leading the way with cyber security regulations such as these, but will other states be soon to follow? Many state regulators have been on high alert following the devastating cyber-attack on Target in 2014 that resulted in the loss of millions of dollars. It is likely that if New York’s cyber security regulations are implemented successfully, other states will be soon to follow.

 

Student Bio: Laura is a Content Editor for the Journal of High Technology Law. She is currently a third year day student at Suffolk University Law School with a Business Law and Financial Services Concentration. She holds a B.A. in Economics from Roanoke College.

Disclaimer: The views expressed in this blog are the views of the author alone and do not represent the views of JHTL or Suffolk University Law School.