News & Insights

Home » News & Insights » Significant Changes Ahead in Cyber-Security for New York State Banking, Insurance, and Financial Services Companies

Significant Changes Ahead in Cyber-Security for New York State Banking, Insurance, and Financial Services Companies


On September 28, 2016, certain proposed regulations were published in the New York State Register regarding cybersecurity applicable to companies that operate under banking, insurance, or financial services laws.  The proposed regulations will be open to a 45-day notice and public comment period following their September 28, 2016 publication.  If the proposal is adopted, affected companies will have 180 days from the effective date to comply with its requirements.  There is a limited exemption applicable to companies with (1) less than 1,000 customers in each of the last three years, (2) less than $5,000,000 in gross revenue in each of the last three years, and (3) less than $10,000,000 in year-end total assets.  However, for all other affected companies, these regulations may require significant changes to their current cybersecurity programs.

The regulations require the development of a cybersecurity program designed to achieve “core cybersecurity functions,” including:

• Identification of cyber risks;

• Implementation of policies and procedures to protect unauthorized access/use or other malicious acts;

• Detection of cybersecurity events;

• Responsiveness to identified cybersecurity events to mitigate any negative events; and

• Recovery from cybersecurity events and restoration of normal operations and services.

Appointment of Chief Information Security Officer: Affected companies will be required to appoint a Chief Information Security Officer (“CISO”) responsible for overseeing and implementing the institution’s cybersecurity program and enforcing its cybersecurity policy.  The CISO must also develop a bi-annual report, available to the DFS upon request, addressing the state of their cybersecurity programs and specifically to:

• Assess the confidentiality, integrity and availability of information systems;

• Detail exceptions to cybersecurity policies and procedures;

• Identify cyber risks;

• Assess the effectiveness of the cybersecurity program;

• Propose steps to remediate any inadequacies identified; and

• Include a summary of all material cybersecurity events that affected the regulated institution during the time period addressed by the report.

Written Cybersecurity Policy: Affected companies would also be required to implement a written cybersecurity policy, addressing at least fourteen specified areas, that is to be reviewed and approved annually by the board of directors and a senior officer or if there is no board of directors, then it must be approved by a senior officer.  These areas include:

• Information security;

• Data governance and classification;

• Access controls and identity management;

• Business continuity and disaster recovery planning and resources;

• Capacity and performance planning;

• Systems operations and availability concerns;

• Systems and network security;

• Systems and network monitoring;

• Systems and application development and quality assurance;

• Physical security and environmental controls;

• Customer data privacy;

• Vendor and third-party service provider management;

• Risk assessment; and

• Incident response.

Encryption of Nonpublic Information: The regulations require that companies take steps to encrypt nonpublic information being transmitted or held.  If encryption is not immediately feasible, firms can use appropriate alternative controls for one year for “in transit” data, and five years for “at rest” data.  Companies will also have to implement authentication procedures for access to information systems and nonpublic information, and audit trail systems that track and maintain, for six years, financial transaction, accounting, and system access data.  Further, companies must limit information system and nonpublic information access privileges solely to those who require such access to perform their responsibilities.

Third Party Information Security Policy: In addition to the above-described written policies, companies will be required to implement written policies and procedures relating to the cybersecurity practices of third party providers.  A “Third Party Information Security Policy” must detail this assessment, state minimum cybersecurity practices required to do business with the company, and address due diligence processes.  Companies are to establish “preferred provisions” to be utilized in agreements with third parties that hold the third parties contractually accountable for their cybersecurity practices.

Additional Requirements: Commencing January 15, 2018, each company will have to certify annually that it is in compliance with these rules and retain supporting records for five years.  The rules call for additional periodic activities, such as annual cybersecurity risk assessments and penetration testing, and quarterly vulnerability assessments.  Affected companies would further be required to regularly provide mandatory cybersecurity awareness training and employ sufficient cybersecurity staff to manage risks and perform core cybersecurity functions.  Companies will have 72 hours to notify the NY State Department of Financial Services of certain cybersecurity events, such as a breach in security, that have a reasonable likelihood of materially affecting normal operations or nonpublic information, and must also have a written incident response plan in place.

The proposed regulations go significantly beyond federal requirements currently in effect in these areas, and impose quite a few new obligations, particularly in requiring annual cybersecurity assessments, notification of state authorities within 72 hours of a breach, and the designation of a Chief Information Security Officer.  Affected companies should consult with their legal counsel and security experts to determine what updates and changes they will be required to make under the new law.


Recent Posts

Impact of Shorter COVID-19 Quarantine on Workplaces

On Monday, the CDC announced changes to its recommended isolation and quarantine time from 10 days to 5 days for asymptomatic people with COVID-19. They recommend that people leaving isolation after 5 days continue to wear a mask for the following 5 days. The CDC also...

Restaurants Sue Over Vaccine Mandate

Restaurant operators sued Mayor Bill de Blasio and New York City over Key to NYC, the new indoor vaccine mandate program, on August 17-the same day the mandate went into effect. A group of restaurants in Staten Island, through the Independent Restaurant Owners...

Financial Regulators’ New Target: Social Media Influencers and SPACs

The Financial Industry Regulatory Authority (“FINRA”) will conduct three new regulatory sweeps in an effort to combat various activities causing extreme fluctuations in the financial markets. FINRA has chosen to target special purpose acquisition companies (“SPACs”),...

Does WARN Apply to Virus Closures?

Enterprise, in Benson et al. v. Enterprise Leasing Co. of Florida LLC et al., has tried to argue that the Worker Adjustment and Retraining Notification Act (“WARN”), through its natural disaster exception, does not apply to closures caused by COVID-19. Two Florida...