October 16, 2019

October 15, 2019

Subscribe to Latest Legal News and Analysis

October 14, 2019

Subscribe to Latest Legal News and Analysis

Financial Industry Reacts to New York’s Proposed Cybersecurity Regulation for Financial Services Institutions

On December 19, 2016, the New York State Assembly Standing Committee on Banks heard testimony about a proposed regulation introduced by the New York State Department of Financial Services that would require financial services companies to develop and implement cybersecurity programs to defend against cyber-attacks. As we covered when Governor Andrew Cuomo announced this first-in-the-nation regulation, the proposed rule imposes numerous obligations on a broad range of institutions regulated by DFS, including persons or entities operating under New York’s banking, insurance, or financial services laws.

At the hearing, representatives of a variety of impacted businesses and industries reacted to the proposed regulation and offered suggestions for improvement.  Generally, the witnesses recognized the importance of cybersecurity and the need for government action—especially in light of recent high-profile hacking incidents. However, multiple commentators expressed concern over what they saw as overly broad, prescriptive requirements.  Laura Mazzara, for example, Senior Vice President and Chief Risk Officer at Pioneer Bank, explained how the proposed regulation adopted a one-size-fits-all standard, when a more tailored, risk-based approach might be more effective in managing cyber risk.  Along similar lines, multiple witnesses noted the costs that the proposed rule would impose on small or medium-sized businesses in New York, and how those costs might trickle down to consumers or impact New York’s ability to attract and maintain small businesses.

© 2019 Covington & Burling LLP


About this Author

Micaela R.H. McMurrough, Covington, Data privacy Lawyer
Special Counsel

Micaela McMurrough has represented clients in high-stakes antitrust, patent, trade secrets, contract, and securities litigation, and other complex commercial litigation matters. Ms. McMurrough also represents and advises domestic and international clients on cybersecurity and data privacy issues, including cybersecurity investigations and cyber incident response. Ms. McMurrough has advised clients on data breaches and other network intrusions, conducted cybersecurity investigations, and advised clients regarding evolving cybersecurity regulations and cybersecurity norms in the context of...

Ashden Fein, Litigation attorney, Covington Burling

Ashden Fein advises clients on cybersecurity and national security matters, including government and internal investigations, regulatory, and complex litigation matters.

For cybersecurity matters, Mr. Fein specifically counsels clients on preparing for and responding to cyber-based attacks, assessing their security controls and practices for the protection of data and systems, developing and implementing cybersecurity programs, and complying with federal and state regulatory requirements. Mr. Fein also has been the lead investigator and crisis manager for multiple complex cyber and data security incidents, including data security breach matters involving millions of affected consumers, advanced persistent threats targeting intellectual property across industries, state-sponsored theft of sensitive U.S. government information, and destructive attacks.