March 28, 2023

Volume XIII, Number 87


March 27, 2023

Subscribe to Latest Legal News and Analysis

New York DFS Finalizes ‘First-in-the-Nation’ Cybersecurity Regulations for Financial Services Industry

On February 16, 2017, the New York Department of Financial Services (DFS) released its final self-described “first-in-the-nation”cybersecurity regulations (the Rules). The Rules become effective March 1, 2017, but will be phased in on a staggered basis beginning 180 days after the effective date. Proposed cybersecurity regulations were initially released on September 13, 2016 to become effective January 1, 2017, but on December 28, 2016, the DFS delayed the effective date and simultaneously issued a revised proposal. Morgan Lewis submitted comment letters recommending several modifications to both the initial proposal and the revised proposal.

Although the DFS did take comments into account in initial revisions, the Rules still raise important operational, compliance, and risk management concerns for financial institutions, financial services companies, insurance firms, and other DFS-regulated entities (Covered Entities). The Rules have only minimal changes from the revised proposal, aside from certain changes made to the exemptive provisions, in particular with regard to Covered Entities that are insurance enterprises.

Under the Rules, Covered Entities will be required to establish and maintain cybersecurity programs designed to perform the following functions:

  • Identify internal and external cyber risks

  • Use defensive infrastructure and implement policies and procedures to protect the Covered Entity’s information systems and nonpublic information stored on such systems from unauthorized access or use and other malicious acts

  • Detect Cybersecurity Events (as defined in the Rules)

  • Respond to identified or detected Cybersecurity Events to mitigate any adverse effects

  • Recover from Cybersecurity Events

  • Fulfill all regulatory reporting obligations

The Rules also mandate the following:

  • Periodic penetration testing and vulnerability assessment

  • Audit trail requirements

  • Employee training

  • Encryption of nonpublic information

  • Third-party service providers security policy

  • Identification of a Chief Information Security Officer (CISO) to oversee, implement, and provide board reporting regarding the cybersecurity program

  • Data retention and monitoring procedures

  • A strict 72-hour notification standard that requires Covered Entities to report Cybersecurity Events in broad-ranging circumstances, such as unauthorized attempts to access a Covered Entity’s systems

  • Establishment of an incident response plan

Each Covered Entity is required to submit a certification stipulating that its board of directors or designated senior official has reviewed reports and other documentation and that, to the best of the board’s or official’s knowledge, the cybersecurity program complies with the Rules.

Each Covered Entity will have the flexibility to perform a risk assessment on which many of the other requirements are based, thereby limiting certain requirements. The Rules will apply irrespective of whether the Covered Entity already adheres to cybersecurity regulations imposed at the federal or state level, but the Rules do contain exemptions from compliance with certain rules therein for “small” Covered Entities and various insurance entities.

The majority of the Rules become effective March 1, 2017, with a 180-day grace period as well as several transition periods for certain requirements. For example, Covered Entities will be required to submit their certifications of compliance as of February 15, 2018, and will have:

  • one year from the effective date to comply with the CISO reporting requirement, penetration testing and vulnerability assessment, risk assessment, multifactor authentication, and cybersecurity awareness training;

  • 18 months to comply with the audit trail, application security, limitations on data retention, monitoring procedures, and encryption of nonpublic information; and

  • two years to comply with the third-party service providers security policy.

Given the short amount of time before the Rules take effect, and the relatively short transition periods, Covered Entities should begin taking the necessary steps to comply with the Rules’ major requirements.

Copyright © 2023 by Morgan, Lewis & Bockius LLP. All Rights Reserved.National Law Review, Volume VII, Number 48

About this Author

Martin Hirschprung, Morgan Lewis Law Firm, Investment Attorney

Martin Hirschprung focuses his practice on representing investment companies and their advisers in a wide variety of legal, regulatory, and transactional matters. His experience extends to work in several areas, including fund formation, ongoing compliance, and corporate governance.

Charles Horn, financial services attorney, Morgan Lewis

Charles M. Horn is a partner in Morgan Lewis's Investment Management and Securities Industry Practice. Mr. Horn focuses his practice on regulatory and transactional matters, primarily in the areas of banking and financial services. He works on behalf of domestic and global financial institutions of all sizes on regulatory, supervisory, enforcement and compliance matters before all major federal financial institutions regulatory agencies, and leading state financial regulatory agencies.

Mark Krotoski, Litigation attorney, Morgan Lewis

Mark L. Krotoski represents and advises clients on antitrust cartel investigations; cybersecurity and privacy matters; trade secret, economic espionage, fraud, and foreign corrupt practices cases; and government investigations. With nearly 20 years of experience as a federal prosecutor and a leader in the US Department of Justice (DOJ), Mark provides clients with a unique blend of litigation and investigative experience. He has tried 20 cases to verdict and successfully argued appeals before the US Court of Appeals for the Ninth and Sixth Circuits.

Melissa R.H Hall, Financial services attorney, Morgan Lewis
Of counsel

Melissa R. H. Hall represents US and overseas banks, nonbank financial services companies, investors in financial services, and technology companies in regulatory and corporate matters. She advises them on a wide range of state and federal financial regulatory laws and regulations. She provides counsel on financial regulatory compliance and enforcement, including state and federal licensing requirements, consumer financial products and compliance, payment systems, corporate and transactional matters, financial institution investment and acquisition, and the development...