• New York is First State in the Nation to Propose Cybersecurity Regulations Impacting Banks, Insurance Companies and Mortgage Lenders
  • December 5, 2016
  • Law Firm: Bleakley Platt Schmidt LLP - White Plains Office
  • The New York State Department of Financial Services has proposed regulations that would impose new cybersecurity requirements on banks, insurance companies, mortgage lenders and others. The proposed regulations, issued pursuant to the Financial Services Law, would apply to entities that require a license or authorization under New York State banking, insurance or financial services laws to operate. New York is the first state in the nation to propose such cybersecurity regulations, which are designed to thwart nation-states, terrorist organizations and independent criminal actors from exploiting technological vulnerabilities to gain access to sensitive electronic data. The proposed regulations would create minimum cybersecurity standards to protect customer information and information technology systems.

    These proposed regulations address the following key areas:
    • Establishment of a cybersecurity program
    • Implementation of a written cybersecurity policy
    • Designation of a Chief Information Security Officer
    • Implementation of a written third party vendor information security policy
    • Notification requirements to the Superintendent of Financial Services
    Cybersecurity Program

    Each entity that is covered by these regulations would be required to establish and maintain a cybersecurity program designed to ensure the confidentiality, integrity and availability of its information systems. The core functions that the program must perform include identifying nonpublic information stored on information systems, using defensive infrastructure to protect this information, detecting any threats to information systems and recovering and restoring operations after such a threat is detected.

    Cybersecurity Policy

    The written cybersecurity policy must address protection of information systems and the nonpublic information stored therein. The proposed regulation includes over a dozen areas, such as systems and network security, access controls, risk assessment, and customer data privacy, which, at a minimum, must be included in the policy. In addition, this policy would be required to be reviewed by the company’s board of directors and approved by a senior officer.

    Chief Information Security Officer

    The proposed regulations would also require the designation of a Chief Information Security Officer, who will oversee and implement the cybersecurity program and enforce the cybersecurity policy. In addition, entities covered by this regulation would be required to employ cybersecurity personnel sufficient to manage cybersecurity risks and to perform core cybersecurity functions.

    Third Party Vendor Information Security Policy

    The third party vendor information security policy would be required to ensure the security of information systems and nonpublic information that are accessible to or maintained by third party vendors. These policies would be required to address certain key areas, including risk assessments of vendors and due diligence processes used to evaluate vendors, as well as establishing preferred provisions, such as use of encryption, right to audit vendors, and vendors’ use of authentication to access information, to be included in vendor contracts.

    Notification Requirements


    The proposed regulations would require each entity that is covered to notify the Department of Financial Services within 72 hours of becoming aware of a cybersecurity threat that has a reasonable likelihood of materially affecting operations or that affects nonpublic information. In addition, starting January 15, 2018, the regulations would require the board of directors or a senior officer to submit an annual compliance certification (the regulations provide a template of the certification to be used).

    The proposed regulations do contain a limited exception for smaller companies, but would still require these smaller companies to comply with certain requirements. The proposed regulations were subject to public comment until November 14, 2016. If they are finalized in their current form, they would go into effect January 1, 2017. Those affected by the regulations would have until June 30, 2017 to come into compliance. The proposed regulations do not specify penalties for non-compliance. If adopted, it is possible that courts would look to the regulations to define the proper standard of care in this developing legal area.