Alert
Alert
By Brian E. Finch,
09.28.16
After much research and discussion, the New York State Department of Financial Services (DFS) has released the near final version of its Cybersecurity Requirements for Financial Services Companies. The DFS Cybersecurity Regulation is breathtaking in its scope and will soon become a major factor in how financial entities, including banks, financial services firms, and insurance carriers secure their operations.
Properly implementing the DFS Cybersecurity Regulation will be no small feat. The regulation requires the implementation of a variety of cybersecurity policies and procedures, ranging from the well-known to the relatively unique. Posing an even greater challenge for entities covered by the regulation is the fact that they must start imposing virtually the same strict cybersecurity controls on third parties with which they do business. It will also require directors and officers of entities falling under its purview to certify annually that they have a compliant program in place. Thus it is easy to anticipate that these newly created or modified cybersecurity programs will be the subject of much scrutiny.
This alert identifies key elements of the DFS Cybersecurity Regulation, which third parties and vendors will be impacted by the Regulation, questions left unanswered by the regulation as currently drafted, and steps covered entities can take to become compliant with the Regulation while also managing potential civil liability.
Overview of the DFS Cybersecurity Regulation
DFS has released one of the most comprehensive and ambitious cybersecurity regulations yet seen. Beginning in 2017, entities covered by the regulation will be required to develop and implement a broad suite of cybersecurity programs and policies, training regimes, risk analyses and vulnerability assessments, incident response capabilities, and other controls. Moreover the regulation requires that the policies, procedures, and various testing programs and assessments be regularly repeated and refreshed. All in all, the regulation represents a significant (and likely costly) set of new requirements for the nearly 2000 covered entities that must comply with it.
The regulation defines covered entities as “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the banking law, the insurance law, or the financial services law.” Note that entities are exempted if they have had less than 1,000 customers on average over the past three years, less than $5 million in gross annual revenue in each of the last three fiscal years, and less than $10 million in year-end total assets.
The required elements of the regulation include:
Download: New York Sets Uncomfortable Cybersecurity Precedent