Other States Start to Follow New York Lead on Cybersecurity of Regulated Entities
Last fall, in response to the “ever-growing threat” posed to information and financial systems, the New York State Department of Financial Services (“DFS”) proposed cybersecurity regulations that were designed to “promote the protection of customer information and information technology systems of regulated entities” Regulated “Covered Entities” were defined to mean any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law of New York. The regulations went into effect March 1, 2017, after a delay in enforcement as the result of comments from the affected industries during a notice and comment period as to the hardships that would have been imposed by the initial regulations. The final version provides greater flexibility and discretion for businesses regulated by DFS and allow for Covered Entities to tailor a cybersecurity program that fits their business needs, and includes transition periods (180 days for most provisions, longer for others). The final version is codified under N.Y.C.R.R. Part 500 (“the Regulation”). The details are discussed further below.
Other states are now starting to follow New York’s lead in mandating at least some degree of cybersecurity assessment for entities subject to state regulatory oversight. Colorado, for example, scheduled a hearing for May 2, 2017, on proposed regulations targeted at financial investment advisors. While these are already subject to federal regulation as the Securities and Exchange Commission requires financial advisers it regulates to have written cyber security policies in effect, the proposed state regulations would impose additional obligations, including an annual assessment of cybersecurity exposures. While the New York regulation would apply to financial advisors if they are licensed by the state, for example as an insurance broker or agent, it is not targeted at them. MORE