New York Financial Services Cybersecurity Regulation Takes Effect March 1

Privacy & Cybersecurity Update

Date: February 21, 2017

Key Notes:

  • New regulation requires New York financial services firms to implement written comprehensive cybersecurity programs.
  • Required elements of the programs are specific and extensive.
  • Regulation effective March 1, and implementation must begin within 180 days.

On February 16, 2017, New York Governor Andrew Cuomo announced that the “first-in-the-nation cybersecurity regulation” will take effect on March 1. The regulation will apply to all entities regulated by New York’s Department of Financial Services (DFS), including banks, trust companies, mortgage brokers and insurance companies, and will require those firms to implement comprehensive cybersecurity programs to ensure the safety and integrity of their and their clients’ information within 180 days.

Governor Cuomo and DFS Superintendent Maria Vullo described the measure as a “landmark regulation” that demonstrates that New York, “the financial capital of the world,” is “leading the charge to combat the ever-increasing risk of cyber-attacks.”

Key requirements of the comprehensive regulation, which addresses all aspects of a cybersecurity program from inception through implementation and breach notification, include:

  • Administration. Each covered entity must conduct an initial risk assessment (that is periodically reviewed and updated) and design a written policy that addresses the specific identified cybersecurity risks. The policy must be approved by a senior officer or the firm’s board of directors. The company also must designate a qualified individual responsible for overseeing and implementing the program (a chief information security officer (CISO)), who is required to submit an annual written report to the firm’s board of directors evaluating the program’s effectiveness.

  • Required elements. The cybersecurity program for each covered entity must:
    • include periodic penetration testing and vulnerability assessments;
    • restrict access privileges and implement multi-factor authentication;
    • engage qualified cybersecurity personnel;
    • include written procedures designed to ensure the security of both internally and externally developed applications used by the covered entity;
    • contain policies designed to ensure the security of systems that are accessible by third-party service providers;
    • require ongoing cybersecurity training and monitoring of personnel;
    • implement controls, such as encryption, to ensure the security of transmitted data;
    • include an incident response plan;
    • maintain systems that reconstruct financial transactions and include audit trails designed to detect and respond to cybersecurity incidents; and
    • ensure the secure disposal of data when it is no longer needed.

  • Notifications. Under the new regulation, a covered entity must report a material cybersecurity incident to DFS within 72 hours after determining that the incident has occurred, provided that the incident is required to be reported to a state agency or other governing body. In addition, each covered entity must submit a written statement to DFS by February 15 of each year certifying compliance with the new regulation.

  • Exemptions. DFS-regulated firms that do not meet certain asset or revenue thresholds, have fewer than 10 employees or do not process nonpublic information are exempted from the regulation’s requirements, provided a notice of exemption is filed with DFS.

Failure to comply with these requirements will expose a covered entity to substantial enforcement and reputational risk, including the imposition of substantial fines and public consent decrees, as well as the likelihood that if a data breach occurs, the lack of compliance may result in more severe consequences.


For more information, please contact:

Maranda E. Fritz

Thomas F. Zych

Craig A. Foster

This advisory bulletin may be reproduced, in whole or in part, with the prior permission of Thompson Hine LLP and acknowledgement of its source and copyright. This publication is intended to inform clients about legal matters of current interest. It is not intended as legal advice. Readers should not act upon the information contained in it without professional counsel.

This document may be considered attorney advertising in some jurisdictions.