New York's Cybersecurity Regulations for Financial Institutions & Health Care
Cybersecurity is one of the most critical challenges facing our nation and our economy. U.S. regulators on both the state and federal level are working to keep pace with the challenges and risks posed by cybercrime.
On March 1, 2017, the New York State Department of Financial Services (DFS) issued a new cybersecurity regulation designed to protect financial institutions, their information technology systems, and their customers from cybercrime1. This “first-in-the-nation regulation” requires many of the more than 3,000 financial institutions, insurance companies, health plans, charitable institutions, and other organizations regulated by DFS to take a fresh and comprehensive look at their cybersecurity preparedness, governance, internal controls, and defenses. It applies directly to any entity operating with a “license … or similar authorization under [New York’s] Banking Law, the Insurance Law or the Financial Services Law”2, —including many foreign and out-of-state branches of DFS-regulated entities.
The regulation provides a basic framework within which organizations are required to develop a comprehensive cybersecurity program best suited to address their specific risk profile. Although the new regulation includes a degree of flexibility and bears some similarities to guidelines and regulations issued by other regulatory bodies, it has 23 different sections and is far more detailed and accountability oriented than most other comparable data security regimes. Significantly, in a clear departure from existing data security regulatory standards, the new DFS regulation holds an institution’s senior leadership accountable by requiring an annual compliance certificate signed by a senior officer or board member.
Given the DFS’s broad authority and history as an aggressive regulator, the risks of noncompliance with the new regulation are substantial. And prompt implementation is required. As the regulation states, “[i]t is critical for all regulated institutions … to move swiftly and urgently to adopt a cybersecurity program.” 23 NYCRR 500.00. Notwithstanding the mandate to act quickly, the complexity of the new regulation means that affected organizations will need to proceed methodically to ensure compliance with the regulation, and should consider appropriately documenting their decision-making process at key junctures.
To view the full publication and gain valuable insight on how institutions may be affected by these new regulations, please HERE.