September 21, 2021

Volume XI, Number 264

Advertisement

September 21, 2021

Subscribe to Latest Legal News and Analysis

September 20, 2021

Subscribe to Latest Legal News and Analysis

New York Proposes Required Cybersecurity Programs for Financial Institutions

In an unprecedented effort to protect New York State’s financial services industry from cyber threats, Governor Andrew M. Cuomo announced a proposed regulation that requires banks, insurance companies, and other financial services institutions regulated by the State Department of Financial Services (DFS) to establish and maintain a cybersecurity program to protect consumers and New York State’s financial services industry.

The landmark proposed regulation is subject to a 45-day notice and public comment period before its final issuance. Requirements of the proposed regulation for financial institutions include:

  • Establishment of a cybersecurity program

  • Adoption of a written cybersecurity policy

  • Designation of a chief information security officer responsible for the program and policy

  • Creation of policies and procedures designed for the security of information systems and non-public information accessible to, or held by, third parties.

The DFS has published the details of the “Proposed Cybersecurity Requirements for Financial Service Companies” on its website.

Recognizing the dynamics of the swiftly evolving cyber industry, the proposed regulation includes minimum standards while maintaining flexibility so that the rule does not become unduly restrictive as technology advances.

DFS’s proposal to raise the cybersecurity standards for financial institutions comes at a time when the increasing cyber risk posed by hackers, employees, criminals and a host of other actors has received significant media attention. In an effort to protect its financial services industry from unauthorized intruders, New York is seeking to impose more rigorous standards on the industry, which is viewed as a significant target for cyber threats.

To ensure that these new programs and policies are not simply adopted without proper implementation, New York is proposing an additional requirement that mandates cybersecurity awareness training for all personnel, an appropriate document retention/destruction policy for nonpublic information when it is no longer required and an incident response plan to respond to any cybersecurity event.

Although New York’s financial services industry may be the first to be held to the proposed heightened standards, it almost certainly won’t be the last, as other states and industries will likely follow suit to protect consumers and financial institutions from an ever-increasing cyber threat.

© 2021 Wilson ElserNational Law Review, Volume VI, Number 263
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Richard Reiter, Wilson Elser Law Firm, Commercial Litigation Attorney
Partner

Richard Reiter represents client interests in complex business disputes, intellectual property, cyber, real estate, and insurance coverage. A member of the firm’s Information Governance Leadership Committee, Rich advises on business interruption, threats to a client’s reputation, notification obligations, data management and the Internet of Things.  In addition, he assists with e-commerce and technology errors and omissions. Rich counsels clients on the protection of IP assets and represents individuals and businesses accused of infringement and computer technology...

914-872-7728
Advertisement
Advertisement
Advertisement