December 12, 2019

December 11, 2019

Subscribe to Latest Legal News and Analysis

December 10, 2019

Subscribe to Latest Legal News and Analysis

December 09, 2019

Subscribe to Latest Legal News and Analysis

Department of Financial Services Proposed Cybersecurity Regulation Edges Closer to Becoming Final Following Public Hearing

The New York State Assembly Committee on Banks held a public hearing on December 19, 2016, receiving testimony about both the benefits and challenges of a recently proposed regulation to address the growing threat posed by cyber-attacks on banks, insurance companies and most other entities which are regulated by the Department of Financial Services (DFS). The proposed regulation was initially published by DFS on September 28, 2016 and since that time has been subject to a public comment period before final issuance.

The proposed regulation, if adopted, is likely to require most DFS-regulated organizations to establish a cybersecurity program, including the adoption of policies and procedures, the reporting to DFS of all successful and unsuccessful cybersecurity attacks, the appointment of a chief information security officer to oversee cybersecurity plans, and the inclusion of certain required provisions in third-party service provider agreements.

Representatives from community banking and other relatively small DFS-regulated entities testified during the hearing that the proposed regulation is a “one size fits all” solution that are too onerous for small to mid-sized entities, fail to coordinate with existing federal cyber requirements, and seek to focus on a national security threat that should be addressed exclusively at the federal level. They also noted that the reporting requirements under the proposed regulation are particularly onerous in that reporting would be required for successful and unsuccessful cybersecurity attacks, which will further contribute to additional regulatory compliance costs that will be passed on to the consumer, resulting in higher consumer prices and possibly reduced consumer choice in some markets. Other witnesses claimed the proposed regulation does not go far enough, calling for more comprehensive and prescriptive requirements.  DFS did not testify at the hearing.

Meanwhile, DFS has indicated informally that it intends to publish a revised regulation in the coming weeks, and that, in so proceeding, will among other things extend the proposed regulation’s January 1, 2017 effective date. DFS has not signaled — either informally or formally – what other changes it intends to make the in the revised regulation.   It is possible the testimony from today’s public hearing could influence some of the changes.

We will report on this blog once DFS publishes its revised regulation. We continue to urge DFS-regulated companies to carefully review their current programs, policies, and procedures to understand their current cyber footing and evaluate what action, if any, they will need to take once the revised regulation is adopted.

Jackson Lewis P.C. © 2019


About this Author

Frank J. Fanshawe, Jackson Lewis, Hospital Payment System Lawyer, public policy issues attorney

Frank J. Fanshawe is a Principal in the Albany, New York, office of Jackson Lewis P.C. His practice focuses on health care law and privacy and data security. He has 25 years of experience, including significant real-world legal and executive-level experience with a nationally recognized health insurer in the northeastern United States.

Mr. Fanshawe previously served as a senior adviser to the New York State Senate Health Committee chair on legislative and public policy issues in connection with New York's deregulation of the hospital payment...

Rosemary McKenna, Health Care Lawyer, Jackson Lewis, Law firm

Rosemary McKenna is a Principal in the Albany, New York, office of Jackson Lewis P.C. She has more than 25 years of experience working with charitable, business and professional health care and commercial entities.

Ms. McKenna’s practice focuses on representing health care and commercial entities in transactional and operational matters. She has worked with national, state and regional organizations in all areas of their operations, including formation (drafting organizational documents, applications for tax-exempt status, policy/practice development and similar issues), continuing governance issues (including bylaws or organizational restructures, board composition/operational changes, review and revision of policies and compliance with statutory requirements), restructures (mergers, acquisitions, affiliations and other restructures), personnel policies, training and employment matters, licensing, trademark and copyright, contracting, and regulatory compliance. Ms. McKenna previously worked at several prestigious firms and as general counsel for a charitable organization focusing on medical initiatives.