On December 28, the New York Department of Financial Services issued revisions to the extensive and detailed cybersecurity regulations for licensed banks and insurance companies, which DFS first announced in September 2016 (proposed 23 NYCRR Part 500). The revised regulations are an improvement over the earlier release. They provide some flexibility for a company to forego a security practice that the regulations endorse, but that is unnecessary to contain risk. They also narrow the types of data that must be protected. In addition, they extend the phase-in to two years and acknowledge the necessity of confidentiality safeguards for information that DFS requires businesses to submit to it.

The essential thrust of the regulations, however, remains intensely mandatory and specific in a way no other cybersecurity standards are. Moreover, with respect to a very large number of banks, other lenders, and insurance carriers and producers, New York's regulations will have national effects. This is especially so because the National Association of Insurance Commissioners appears unlikely to finalize its cybersecurity model law anytime soon and the federal government seems focused on other matters.

Accordingly, now is the time for NY licensees to begin planning to comply with the new DFS regulations. Day Pitney attorneys stand ready to advise our clients on the regulations' requirements, including revising or for the first time instituting a comprehensive cybersecurity program that protects nonpublic information and plans for and protects against cybersecurity events. We are available to guide you in determining how notification and incident response must proceed (especially given the often-long window to detect a breach but short window to report it), what data requires protection, and how to adroitly manage external as well as internal cybersecurity resources. Day Pitney attorneys can also assist clients in engaging with federal departments and agencies charged with cybersecurity responsibilities that may involve classified or other sensitive government matters. We can also advise on how the New York regulation will interact with other insurance regulations such as enterprise risk reporting and own risk and solvency assessments (ORSAs).

Day Pitney will be holding a briefing session on cybersecurity regulations, designed to meet Continuing Legal Education requirements, in our Stamford office on January 12 from 9:30 a.m. to 1:00 p.m. In addition to discussing the evolving regulations, we will discuss some of the ethical issues involved in cyber regulation and reporting.

Space is limited, so please RSVP here, if you would like to attend.

Click here to read further Insights from Day Pitney

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.