The NYS Department of Financial Services’ New Cybersecurity Regulation Expected to Take Effect January 1, 2017

The comment period is nearly over for the proposed New York regulation that would require a wide variety of businesses in New York State to establish a compliant cybersecurity program. The regulation will apply to entities licensed or registered under New York banking, insurance or financial services laws. The regulation is set to take effect January 1, 2017 (to be codified at 23 N.Y.C.R.R. 500 (2016)), giving covered entities 180 days to comply with its requirements. It remains to be seen how the Department of Financial Services (“DFS”) will address all of the comments it has received and how much of those comments will affect implementation of the regulation.

The proposed regulation creates another layer of regulatory burden by imposing additional oversight of industries already subject to various rules and regulations of other agencies concerning data security and privacy. For instance, the financial industry is already wrestling with the ever-changing web of state, national and international regulations on cybersecurity and privacy matters.

Regardless, by early 2017, every financial, banking and insurance institution will need to have in place a program and policies that comply with the proposed regulation. This includes risk assessment, crisis planning and customer data privacy policies and procedures such as mandatory encryption of nonpublic information and multifactor authentication. These businesses must also identify a “qualified” Chief Information Security Officer and make inquiry of third party vendors who handle “nonpublic” data (a broadly defined term). Quarterly vulnerability assessment and annual penetration testing is also required under the proposed regulation.

Perhaps the most onerous requirement is that covered entities notify DFS of certain cybersecurity events within 72 hours of discovery, even those involving potential unauthorized tampering with, access to or use of nonpublic data.

While we know many affected companies already have the programs, policies and management structures in place, the regulation adds new burdens. Adequate preparedness is crucial to ensuring that affected companies can respond promptly and appropriately to not only mitigate harm, but also to identify the type of response that is reasonable and necessary, and to ensure the regulatory requirements are met.

Additional Assistance

Phillips Lytle’s Data Security & Privacy Practice Team can assist with developing a compliant cybersecurity program, or review current programs for compliance with the proposed regulation, if and when it is adopted, and other state, federal and international requirements. The team has worked with our financial, banking and insurance clients, and those in other highly-regulated industries, to evaluate current crisis management plans, develop new plans, and review and comment on policies and procedures concerning record retention and data security and privacy. Phillips Lytle can provide guidance on the due diligence of reviewing third party vendor contracts, services and relationships. The team has also litigated to defend clients affected by cyber attacks or other crimes, and assisted in addressing issues raised by government regulators.

With attorneys who were former technology business owners and advisors to the nation’s intelligence, military and law enforcement leaders who are immersed in the technology industry, Phillips Lytle is uniquely qualified to provide the legal and business perspectives necessary to develop sound data privacy and security plans.

Even if you are currently working with consultants to develop a cybersecurity program, the policies and procedures should be reviewed by legal counsel to ensure compliance with the regulations and other laws to help avoid possible enforcement actions.

For questions regarding DFS’ new cybersecurity regulation, please contact any of the attorneys on our Data Security & Privacy Practice Team.