The beginning of March, and a spell of unseasonably warm weather, graced the Northeast this week. So too did New York’s first-in-the-nation cybersecurity regulations. As we reported here in January, the initial launch of regulations was scuttled in response to industry concerns about scope and the inability to modify internal security measures by the established deadlines. This resistance led New York’s Department of Financial Services (“DFS”) to slightly modify the regulations and delay implementation by one month. The regulations became effective on March 1, upon publication in the NY State Register.
On February 16, 2017 Governor Cuomo trumpeted the impending implementation of the regulations and explained that the protections will help ensure that the financial services industry has the necessary safeguards in place to protect both companies and consumers from serious economic harm caused by cyber-crimes. Indeed, the final regulations encourage firms to keep pace with technological advances, and provide important protections against cyber-breaches. Those regulations include 1) requiring cybersecurity programs to be adequately staffed, funded, and overseen by qualified management; 2) requiring data access controls and data protection measures, including encryption and penetration testing; 3) requiring incident response plans and notice to DFS of material events; and 4) requiring identification and documentation of material deficiencies, remediation plans, and annual certifications of regulatory compliance to DFS. Even post-modification, DFS’ cybersecurity program remains robust.
Both DFS Superintendent Maria T. Vullo and Manhattan District Attorney Cyrus R. Vance, Jr. echoed the Governor’s remarks and noted that the landmark regulation ensures that consumers can trust their financial institutions to have protocols in place to protect the privacy and security of their sensitive personal information, and that NY is leading the nation in promulgating strong minimum standards to protect regulated entities and the consumers they serve. As in so many commercial contexts, NY is the first-mover financial services cybersecurity. Other states will watch closely as major financial services players aim to comply with these new cybersecurity standards during the transitional periods granted by the regulations. They will watch even more closely as the DFS Superintendent begins to initiate enforcement actions for noncompliance. We will certainly keep you apprised of such activity.