November, we reported on a proposal by the New York Department
of Financial Services (NYDFS) for an extensive cybersecurity
framework for its regulated financial institutions. Recently, Governor Cuomo announced a proposed rule requiring banks, insurance
companies and other financial services institutions regulated by
the NYDFS to establish and maintain a strong cybersecurity program.
These regulations include several key requirements for these
Establishment of a cybersecurity program. Institutions would be
required to implement policies and procedures to protect against
unauthorized use and access to sensitive information. The program
should also focus on responsiveness to these incidents and recovery
and restoration of business operations.
Adoption of a cybersecurity policy. The policies and procedures
must address several key areas, including information security,
data classification and governance, access controls, customer data
privacy, risk assessments and incident response.
Designation of a Chief Information Security Officer (CISO). The
CISO would be responsible for oversight and implementation of the
cybersecurity program and enforcement of cybersecurity policy.
Third Party Service Provider oversight. The entity must have
policies and procedures ensuring the security of information
handled by third parties, including minimum standard cybersecurity
practices and periodic assessments of the third party service
Other key requirements of the proposed rule include annual
penetration testing; timely destruction of private information,
except where necessary; monitoring of authorized users; encryption
of nonpublic information in transit and at rest; and a written
incident response plan for cybersecurity incidents affecting the
confidentiality, integrity or availability of information systems.
In addition, regulated entities will be required to provide a
yearly report to the NYDFS certifying compliance with the
Importantly, the proposed rule requires notification to the
NYDFS no later than 72 hours after a cybersecurity event that has a
reasonable likelihood of materially affecting normal operation, or
that includes actual or potential unauthorized tampering with or
access to or use of nonpublic information, including any event
where notification is provided to a governmental or self-regulatory
agency. The proposed rule, however, defines "nonpublic
information" broadly. The definition includes:
(1) Any business-related information,
the tampering with which, or unauthorized disclosure, access or use
of which, would cause a material adverse impact on the business,
operations or security of the entity;
(2) Any information that an
individual provides to the entity in connection with a transaction
involving a financial product or service provided by the
(3) Any information, except age or
gender, that is created by, derived from or obtained from a health
care provider or an individual and that relates to the past,
present or future physical, mental or behavioral health or
condition of any individual or a member of the individual's
family or household, or from the provision of health care to any
individual, or from payment for the provision of health care to any
(4) Any information that can be used
to distinguish or trace an individual's identity, including but
not limited to an individual's name; Social Security number;
date and place of birth; mother's maiden name; biometric
records; medical, educational, financial, occupational or
employment information; information about an individual used for
marketing purposes; or any password or other authentication
The broad scope of potentially nonpublic information affected
will require entities regulated by the NYDFS to quickly and
thoroughly assess the type of information affected by any potential
incident and determine whether notification to the NYDFS is
The rule was published in the New York State
Register on September 28, 2016. It is currently in the 45-day
comment period prior to final issuance. Upon final issuance, the
rule will go into effect on Jan. 1, 2017. In addition, regulated
entities will be required to provide the annual certificate of
compliance with the cybersecurity regulations beginning on Jan. 15,
The proposed rule, which is the first of its kind in the nation,
will heighten cybersecurity requirements for financial institutions
regulated by the NYDFS. While the rule provides a measure of
flexibility for institutions of all sizes to efficiently adapt,
they will require these institutions to carefully examine their
current cybersecurity standards and make adjustments, where
necessary, in order to comply.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.
The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) recently announced the first ever settlement related to a Covered Entity's untimely breach notification in violation of HIPAA.
Shortly before the New Year, the United States Attorney for the Southern District of New York unsealed an indictment against three Chinese hackers who allegedly stole information from two prominent U.S. law firms.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).