What You Must Know about New York’s Proposed Cybersecurity Regulation for the Banking, Insurance, and Financial Services Sectors

Consumer Finance   |   Cybersecurity and Privacy   |   Insurance   |   Technology   |   September 20, 2016

Cybersecurity BankingLast week, New York’s Department of Financial Services released its long-awaited proposed cybersecurity regulation, which promises to deliver sweeping protections to consumers and financial institutions alike. The proposed regulation, titled "Cybersecurity Requirements for Financial Services Companies" (23 NYCRR Part 500), if implemented, would be a first-of-its-kind state provision that creates mandatory cybersecurity and risk management regulations for companies in the banking, insurance, and financial services industries licensed in New York. The proposed regulation would take effect January 1, 2017, and will be open for public comment for 45 days beginning September 28, 2016. Given New York's prominence in the financial services sector, other states are likely to follow its lead in promulgating similarly sweeping regulations.

Background. The proposed regulation arose out of surveys of regulated banking institutions and insurance companies the Department conducted in recent years.

Based on those surveys' findings, the Department identified five key elements of cybersecurity programs, all of which can be seen in the proposed regulation: (1) a written information security policy; (2) security awareness and education and training for employees; (3) information security audits; (4) risk management of cyber risk (including the identification of key risks and trends); and (5) incident monitoring and reporting.

Here's what you need to know about New York's proposed cyber regulation.

Scope. The proposed regulation is broad in scope. It applies to any individual or entity operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under New York banking, insurance, or financial services laws, subject to certain limited exemptions for smaller entities. Smaller entities – which the regulation defines as having (1) fewer than 1,000 customers in each of the last three calendar years; (2) less than $5 million in gross annual revenue in each of the last three fiscal years; and (3) less than $10 million in year-end total assets as calculated by GAAP – are still expected to comply with many of the regulation's requirements.

The broad scope of the proposed regulation continues with its definition of "nonpublic information," which is defined to include any information that an individual provides to a covered entity in connection with seeking or obtaining a financial product or service.

Cybersecurity Program. The proposed regulation's primary purpose is to ensure that all companies, large and small, in the banking, insurance, and financial services industries have a cybersecurity program in place. While an increasing number of companies already do, the proposed regulation makes this mandatory across-the-board and requires it to be in writing. Among the requirements, the proposed regulation requires companies to have a program that achieves the following:

  • identifies internal/external cybersecurity risks;
  • uses defensive infrastructure to protect covered information;
  • detects "cybersecurity events" such as a breach; and
  • fulfills regulatory reporting obligations.

Third Parties. If a company uses a third party to handle its information systems or retain its data, the proposed regulation further obligates the third party to ensure that certain minimum cybersecurity practices are being met. This includes mandatory periodic assessments and requiring third parties to have written policies that, in some instances, may include warranties that the entity is free from viruses and other security vulnerabilities.

Chief Information Security Officer. For larger companies, the proposed regulation will require the designation of a Chief Information Security Officer (CISO), who will be tasked with implementing, overseeing, and enforcing the cybersecurity program. In particular, the CISO will review the cybersecurity policy annually and bi-annually report on the program to the company's governing body. Again, while such reporting mechanisms may already be in place at some companies, the proposed regulation will make this standard.

Multi-Factor Authentication & Encryption. Until now, multi-factor authentication has generally been a best-practice, not a requirement. The proposed regulation would require large companies to use multi-factor authentication for access to internal systems or data from an external network or to servers that contain nonpublic information, as well as risk-based authentication for individuals accessing web applications that contain the same. The proposed regulation likewise requires encryption for all nonpublic information, with limited exceptions.

Limits on Data. Another key provision of the proposal is its limit on data retention. Companies subject to the regulation will be required to destroy all nonpublic information that is no longer necessary for the provision of products and services for which the information was originally provided.

App Development. The proposed regulation also encompasses app security, requiring companies to ensure the use of secure development practices for in-house developed apps.

Reporting & Certification Requirement. When a "cybersecurity event" such as a breach occurs, the proposed regulation requires companies to notify the Department within 72 hours. The regulation further requires companies certify to the Department annually that their cybersecurity programs are in compliance and maintain all supporting documentation for a five-year period.

Staff & Training. The proposed regulation further requires companies to employ cybersecurity personnel to manage the program, as well as to provide for mandatory and regular cybersecurity education and training.

The Takeaway. New York's proposed cybersecurity regulation is consistent with the shift toward greater regulation in the cybersecurity space, particularly for the financial services sector. As previously discussed (here), the Federal Financial Institutions Examination Council recently issued similar-sounding guidelines to help examiners evaluate the risk management and mitigation processes of financial institutions and third-party service providers. New York's proposed regulation, however, would be different because it is mandatory.

For some ahead-of-the-curve companies, this "new" cybersecurity regulation may not seem all that new. But for most, the imposition of its mandatory cybersecurity standards, including the designation of a CISO and ongoing staff training and education, may have significant cost implications that may require advanced discussion and planning.

Indeed, the biggest impact of the regulation may be felt on smaller entities that, unlike their larger counterparts, do not already have many of these policies and procedures in place. Under the new regulation, smaller entitles will still be required to have a cybersecurity program and written policy in place, limit access privileges to nonpublic information, conduct annual risk assessments, and comply with the notices and certification requirements.

Further, the broad definition of nonpublic information, data limit regulation, and mandatory multi-factor authentication may require some companies to reassess their existing data storage and retention policies. What’s more, because New York is considered a leader for the financial services industry, this regulation may be a harbinger of things to come for other states as well.

©2023 Carlton Fields, P.A. Carlton Fields practices law in California through Carlton Fields, LLP. Carlton Fields publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information and educational purposes only, and should not be relied on as if it were advice about a particular fact situation. The distribution of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship with Carlton Fields. This publication may not be quoted or referred to in any other publication or proceeding without the prior written consent of the firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our Contact Us form via the link below. The views set forth herein are the personal views of the author and do not necessarily reflect those of the firm. This site may contain hypertext links to information created and maintained by other entities. Carlton Fields does not control or guarantee the accuracy or completeness of this outside information, nor is the inclusion of a link to be intended as an endorsement of those outside sites.

Subscribe to Publications


The information on this website is presented as a service for our clients and Internet users and is not intended to be legal advice, nor should you consider it as such. Although we welcome your inquiries, please keep in mind that merely contacting us will not establish an attorney-client relationship between us. Consequently, you should not convey any confidential information to us until a formal attorney-client relationship has been established. Please remember that electronic correspondence on the internet is not secure and that you should not include sensitive or confidential information in messages. With that in mind, we look forward to hearing from you.