Patterson Belknap Webb & Tyler LLP
  April 20, 2017 - United States of America

New York's Cybersecurity Regulations for Financial Institutions & Health Care

Cybersecurity is one of the most critical challenges facing our nation and our economy. U.S. regulators on both the state and federal level are working to keep pace with the challenges and risks posed by cybercrime.

On March 1, 2017, the New York State Department of Financial Services (DFS) issued a new cybersecurity regulation designed to protect financial institutions, their information technology systems, and their customers from cybercrime1. This “first-in-the-nation regulation” requires many of the more than 3,000 financial institutions, insurance companies, health plans, charitable institutions, and other organizations regulated by DFS to take a fresh and comprehensive look at their cybersecurity preparedness, governance, internal controls, and defenses. It applies directly to any entity operating with a “license … or similar authorization under [New York’s] Banking Law, the Insurance Law or the Financial Services Law”2, —including many foreign and out-of-state branches of DFS-regulated entities.


The regulation provides a basic framework within which organizations are required to develop a comprehensive cybersecurity program best suited to address their specific risk profile. Although the new regulation includes a degree of flexibility and bears some similarities to guidelines and regulations issued by other regulatory bodies, it has 23 different sections and is far more detailed and accountability oriented than most other comparable data security regimes. Significantly, in a clear departure from existing data security regulatory standards, the new DFS regulation holds an institution’s senior leadership accountable by requiring an annual compliance certificate signed by a senior officer or board member.


Given the DFS’s broad authority and history as an aggressive regulator, the risks of noncompliance with the new regulation are substantial. And prompt implementation is required. As the regulation states, “[i]t is critical for all regulated institutions … to move swiftly and urgently to adopt a cybersecurity program.” 23 NYCRR 500.00. Notwithstanding the mandate to act quickly, the complexity of the new regulation means that affected organizations will need to proceed methodically to ensure compliance with the regulation, and should consider appropriately documenting their decision-making process at key junctures.

To view the full publication and gain valuable insight on how institutions may be affected by these new regulations, please HERE.

About the Publication:

This mini-treatise, New York's Cybersecurity Regulation for Financial Institutions, A New Age of Cybersecurity Regulation: Raising the Bar and Demanding Leadership Accountability, authored by Patterson Belknap Webb & Tyler LLP, and published by and available on Bloomberg Law provides a general overview of the sweeping new cybersecurity regulation issued by the New York State Department of Financial Services, the state's top banking and insurance regulator, focusing on its core rules and requirements. This publication also provides practical guidance regarding issues that affected institutions might want to consider as they implement the requirements of the regulation.