The New York Department of Financial Services ("DFS")
recently issued proposed cybersecurity requirements for financial
services companies. The proposed regulation would be codified
at 23 NYCRR 500, and would be effective March 1, 2017.
This action, which places New York squarely in the vanguard of
US regulators, will have wide-ranging effects given the number of
banks, insurance companies, and financial services companies that
are licensed in New York. It will also affect companies that
do business with those regulated companies, referred to in the
proposed regulation as "Third Party Service Providers,"
whether or not the business affiliates are otherwise required to be
licensed by the DFS. Some Third Parties that may be affected
are law firms, accounting firms, and consulting firms.
The proposed regulation mandates minimum standards for data
security by Covered Entities. Covered Entities are any person
operating under or required to operate under a license,
registration, charter, certificate, permit, accreditation or
similar authorization under the Banking Law, the Insurance Law, or
the Financial Services Law.
The DFS would require, among other things, that each Covered
Entity undertake the following:
Maintain a cybersecurity program
designed to protect the confidentiality, integrity and availability
of information systems;
Implement and maintain a written
policy or policies setting forth procedures for the protection of
information systems and Nonpublic Information stored on those
Designate a qualified Chief
Information Security Officer;
Monitor and test the cybersecurity
protections for vulnerabilities;
Maintain records for 5 years
sufficient to provide an audit trail to reconstruct transactions
and cybersecurity events;
Conduct periodic risk
Implement policies to protect
Nonpublic Information from authorized access by limiting data
retention through destruction policies as permitted, training and
monitoring, and encryption of data;
Implement written policies and
procedures designed to ensure the security of Information Systems
and Nonpublic Information that is accessible to or held by Third
Party Service Providers;
Establish a written incident response
File a Certificate of Compliance with
the superintendent annually.
In addition, the covered entity must notify the superintendent
as promptly as possible, but in no event later than 72 hours, if it
is determined that a cybersecurity event has occurred that would
require notification to a governmental entity or regulatory body
and the event has a reasonable likelihood of materially harming the
normal operation of the Covered Entity.
There is a limited exemption for Covered Entities with fewer
than 10 employees, or less than $5,000,000 gross annual revenue in
each of the last three years, or less than $10,000,000 in year-end
assets (including all affiliates). Employees, agents and
representatives who are Covered Entities need not have their own
plan if they are covered by the plan of a Covered Entity.
Covered Entities that do not control information systems or possess
Nonpublic Information are exempt from certain enumerated
requirements. Covered Entities that qualify for an exemption
must file a Notice of Exemption on the specified form.
Covered Entities will have at minimum 180 days from the
effective date to comply with the requirements. Certain
requirements have longer compliance periods.
One of the regulatory pillars of the EMIR is the requirement for parties to collateralize the marked-to-market exposure in over-the-counter derivatives transactions that are not cleared by a central clearing system.
Since late last year, many banks in California, New York and Pennsylvania have received demand letters from two law firms that claim the websites of those banks violate Title III of the Americans with Disabilities Act (ADA).
While third-party risk management has been a required component of an effective enterprise risk management program for many years, the topic is receiving elevated attention at insurance companies and related businesses.
Overseas Shipping Group ("Overseas") recently sued its former attorneys, a prominent New York-based law firm, for legal malpractice in drafting credit agreements that resulted in the company incurring an estimated $463 million in tax liability.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).