Banks, insurance companies and other financial service companies licensed or chartered by the state of New York will likely soon face increased cybersecurity requirements. Two years in the making, New York’s Governor Cuomo announced proposed cybersecurity regulations to be issued by the New York Department of Financial Services (NYDFS). While not impacting federally chartered institutions that already have some level of cyber security regulation applicable to them, the new regulations will impact smaller financial institutions that may not have invested in cybersecurity to the same extent as the larger ones. Because of New York’s position as a financial center, the proposed requirements may lead the way for other states to follow, further raising the bar in connection with cybersecurity practices. That higher level of cybersecurity may become the standard against which actions are judged to determining if there was negligence in connection with a breach.
The new regulations will require all financial institutions regulated by the NYDFA to take a number of steps to increase the protection of their information systems and nonpublic information in their possession. These include:
- Establishing, implementing and maintaining an entity-wide cybersecurity program and written policy designed to ensure the confidentiality, integrity and availability of the information systems.
- The entity’s board of directors must annually review the cybersecurity policy which is then approved by a senior officer. A Certification of Compliance must then be submitted to the NYDFS.
- The company must designate a qualified individual to serve as Chief Information Security Officer who is responsible for overseeing, implementing and enforcing the cybersecurity program and policy. The entity must also employ sufficient cybersecurity personnel to manage risks and to perform the core cyber-security functions.
- The entity must notify the NYDFA within 72 hours of any cybersecurity event that has a reasonable likelihood of materially affecting its normal operations.
The mandated notifications will likely lead to many more disclosures by regulated banks and insurers. Before, many breaches might not be disclosed, but when these rules go into effect more institutions may need to consider not only the NYDFA disclosure requirements but also how to satisfy the various legal requirements associated with breaches including customer notification requirements, credit monitoring and the potential for claims. All those risks may in turn lead to an increased interest by these entities in the protections found in cyber insurance policies.
There is a 45 day public comment period for the regulations announced on September 13, 2016. Final regulations will be issued at the end of that period, and will become effective January 1, 2017. Companies will need to begin filing their annual Certification of Compliance on January 15, 2018.