The New York Department of Financial Services ("DFS") recently issued a revised version of the cybersecurity rules1 that it first announced in the fall of last year. The rules apply to a wide range of insurance, banking, and financial services companies under the DFS's supervision and require them to adopt robust cybersecurity programs to protect sensitive and confidential data from theft by cybercriminals. Although the revised rules appear to incorporate some of the comments made by the public and industry groups during a notice and comment period in the fall, they still impose a number of rigorous new cybersecurity requirements that will affect not just companies regulated by the DFS but many of the third party service providers who have access to confidential corporate data or systems. The new rules also leave open the question as to whether the DFS will bring enforcement actions against covered entities – and potentially their employees – for non-compliance.
On September 13, 2016, the DFS first announced and published its proposed cybersecurity rules (the "Original Rules"), which were subject to a notice and comment period.2 On December 28, 2016, the DFS issued a revised version of the rules (the "Revised Rules"), which are subject to a new 30-day notice and comment period.3 The Revised Rules are scheduled to become effective on March 1, 2017 and require "Covered Entities"4 to comply with most of their provisions within six months of their effective date.5
When Governor Andrew Cuomo first announced the Original Rules in the fall, he stated that New York was "leading the nation in taking decisive action" to address potentially costly cybersecurity threats.6 The significant concentration of insurance, banking, and financial services entities in New York ensure that the Revised Rules will play an important role in shaping cybersecurity programs across the nation.
1 N.Y.S. Dep't of Fin. Servs., Cybersecurity Requirements for Financial Services Companies (Proposed) – 23 N.Y.C.R.R. Part 500, http://www.dfs.ny.gov/legal/regulations/proposed/rp500t.pdf (hereinafter "Part 500" or "Section 500.__").
2 See http://www.dfs.ny.gov/about/press/pr1609131.htm (hereinafter "Press Release ¶ __").
4 The rules define "Covered Entity" as "any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, Insurance Law, or the Financial Services Law [of New York]." Section 500.01(c). Certain entities may qualify for exemptions from the cybersecurity rules including, for example, entities that (i) have fewer than 10 employees or (ii) have less than $5,000,000 in gross annual revenue for each of the last three years. Section 500.19.
5 Sections 500.21 and 500.22.
6 Press Release ¶ 2.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.