Cybersecurity Requirements On the Horizon for Financial Services Companies Licensed in New York?
New York’s Department of Financial Services has released its proposed cybersecurity regulation, which, if it passes, will deliver significant protections to both consumers and financial institutions licensed in New York. The proposed regulation, “Cybersecurity Requirements for Financial Services Companies” (23 NYCRR Part 500), would create mandatory cybersecurity and risk management regulations for New York-licensed companies in the insurance, banking, and financial services industries. According to the proposal, “This regulation requires each company to assess its specific risk profile and design a program that addresses its risks in a robust fashion.” In other words, New York-licensed companies will now be required to develop and implement specific cybersecurity programs according to the requirements in the regulation. If passed, it will take effect on January 1, 2017, and companies will have 180 days from that date to comply.
The cybersecurity programs required by the new legislation will “ensure the confidentiality, integrity and availability” of the company’s information systems. The cybersecurity programs must perform these “core cybersecurity functions: (1) identify internal and external cyber risks by, at a minimum, identifying the Nonpublic Information stored …; (2) use defensive infrastructure and the implementation of policies and procedures to protect the … systems …; (3) detect Cybersecurity Events; (4) respond to identified or detected Cybersecurity Events to mitigate any negative effects; (5) recover from Cybersecurity Events and restore normal operation services; and (6) fulfill all regulatory reporting obligations.” Part of this proposed regulation also requires the designation of a “qualified individual” to serve as Chief Information Security Officer, responsible for overseeing and implementing the cybersecurity program at his or her respective company.
We will continue to monitor this proposed legislation. If you have any questions regarding the details required by 23 NYCRR Part 500, please contact Tom Ryerson or Mindy Medley.