The New York Department of Financial Services (“DFS”) adopted final revisions to its new cybersecurity regulations, which apply to a wide range of insurance, banking and financial services companies (“Covered Entities”) under its supervision (see previous coverage of the proposed revisions). The regulations will take effect on March 1, 2017 and, starting in 2018, will require a Covered Entity to prepare and submit a Certification of Compliance annually by February 15 to the DFS concerning the firm’s cybersecurity compliance program.
Required elements of the program include (i) the means to prevent and detect cyber events, (ii) the development of a cybersecurity policy, (iii) the appointment of a “qualified” chief information security officer, (iv) testing programs, (v) audit trails and (vi) access controls.
New York Governor Andrew M. Cuomo praised the new regulations:
“These strong, first-in-the-nation protections will help ensure [the financial services] industry has the necessary safeguards in place in order to protect themselves and the New Yorkers they serve from the serious economic harm caused by these devastating cyber-crimes.”
Lofchie Comment: New York State has been very aggressive in regulating and sanctioning firms engaged in financial activities. In their original form, the rules proposed by New York State to regulate “money laundering” set impossible-to-meet compliance standards. (Ultimately, the rules adopted by New York State were less draconian than those that were proposed originally, but that is saying very little.) The adopted Cybersecurity regulations are open-ended, complex and burdensome and will result in creating many new ways for the government to collect fines when something goes wrong. The fact that New York State rushed to declare itself “first in the nation” to adopt such a detailed set of rules suggests that its local government is too eager to place onerous requirements on the financial sector and, as a consequence, expand opportunities to collect fines.
That said, firms must abide by the new compliance obligations and do their best not to give New York State an opportunity to collect.