May 28, 2022

Volume XII, Number 148


May 27, 2022

Subscribe to Latest Legal News and Analysis

May 26, 2022

Subscribe to Latest Legal News and Analysis

May 25, 2022

Subscribe to Latest Legal News and Analysis

New York's New Cybersecurity Regulation for Financial Institutions Will Have National Reach

Cyber-crime and identity theft pose an ever-increasing threat to the consumers of financial products and services. To confront this threat, New York’s Governor Andrew Cuomo recently announced a cybersecurity regulation for New York’s financial services sector which takes effect today.1 The regulation will require financial institutions to implement robust controls to detect, thwart, and report cyber-incidents.

Given the national reach of many New York financial institutions, the impact of the new regulation will be felt far beyond the state of New York and will likely become the baseline standard for the industry. Almost any entity that operates under a license, registration, charter, certificate, permit, accreditation, or similar authorization under the banking, insurance, and financial services laws of New York is covered by the regulation. There are few exemptions (see below).

Generally speaking, the regulation requires banks, insurance companies, and other financial services institutions regulated by the New York State Department of Financial Services (“NYDFS”) to establish and maintain cybersecurity programs designed to protect consumers’ private data and ensure industry safety. The regulation includes certain regulatory minimum standards and encourages firms to keep pace with technological advances.

More specifically, the regulation requires covered entities to:

  • Conduct periodic risk assessments

  • Maintain a cybersecurity program based on the risk assessment

  • Adopt written cybersecurity policies

  • Comply with governance and staffing requirements – including appointment of a Chief Information Security Officer by August 2017

  • Monitor or conduct penetration testing and vulnerability assessments

  • Maintain transaction and server logs

  • Limit user access privileges

  • Maintain application security written procedures, guidelines, and standards

  • Install a vendor risk-management program, policies, and procedures

  • Use multi-factor authentication or risk-based authentication

  • Destroy nonpublic information periodically and securely

  • Implement controls, including encryption or compensating controls

  • Establish a written incident-response plan

  • Provide regular cybersecurity awareness training

  • Notify NYDDFS of any breaches within 72 hours.

Although the regulation takes effect today, it includes transition periods of between one and two years for most requirements. Even with the staggered compliance dates, however, full compliance with such an expansive regulation will be challenging.

Some persons or entities will be exempt from most of the requirements of the regulation - except for conducting a risk assessment; implementing written policies and procedures to secure nonpublic information that is accessible to, or held by, third party services providers; and establishing policies and procedures for the secure disposal of nonpublic information. Among the exempted are “small covered entities,” “designees covered by another covered entity,” “entities that do not possess or handle nonpublic information,” and “captive insurance companies.” Even exempted covered entities must still file a certificate of exemption with NYDFS within 30 days.

NYDFS announced the initial proposed rules in September 2016. After industry complaints and a public hearing, revised rules were issued in December 2016. Another period of public comment period closed in late January 2017.

1The regulation can be found here:

Copyright Holland & Hart LLP 1995-2022.National Law Review, Volume VII, Number 60

About this Author

Romaine C. Marshall, Holland Hart, Software Technology Litigation Lawyer, Arbitration Attorney

Mr. Marshall is a litigation and trial attorney in the Salt Lake City office who represents businesses in the software, technology, financial and technical services, and energy and natural resources industries. He distills complex factual and legal issues to effectively persuade judges, juries, and opposing parties at trial and arbitration. He also counsels clients how to avoid the business expense and disruption of litigation and trial through settlement, pretrial dispositive relief, and other dispute resolution options. Mr. Marshall has represented clients in disputes...

C. Matt Sorensen, Holland Hart, regulatory compliance attorney, data breach management lawyer

Mr. Sorensen is a Certified Information Systems Security Professional (CISSP) and Certified Information Privacy Professional in both the United States and Europe (CIPP/US and CIPP/E), focusing his practice on domestic and international data privacy and cybersecurity law. He advises companies across industries on breach prevention, cyber-attack preparedness, information governance,  regulatory compliance, and data breach management. In particular, he helps clients understand how to create and implement effective compliance programs and controls...