NYS DFS Proposes Cybersecurity Regulation

 

Late last month, the New York State Department of Financial Services proposed a new cybersecurity regulation that would require banks, insurance companies, and other financial services institutions regulated by DFS to establish and maintain a cybersecurity program designed to protect consumers and ensure the safety and soundness of New York State’s financial services industry.  A press release announcing the proposed regulation is available here.  A fact sheet about the proposed regulation and the text of the proposal are both available through this link, as well.

In brief, the proposed regulation would require covered financial institutions to (i) establish a cybersecurity program; (ii) adopt a written cybersecurity policy; (iii) designate a Chief Information Security Officer responsible for implementing, overseeing and enforcing its new program and policy; and (iv) have policies and procedures designed to ensure the security of information systems and nonpublic information accessible to, or held by, third-parties,  The regulation contains a number of other requirements designed to protect the confidentiality, integrity and availability of information systems, as well.

We at IFMR will be back with a more detailed analysis of the proposed regulation shortly.  In the meantime, we remind readers the proposed regulation is subject to a 45-day notice and public comment period following the September 28, 2016 publication in the NYS register.

 

Christine Chung

Christine Chung

This blog is edited by Christine Sgarlata Chung, Associate Professor of Law at Albany Law School, and Co-Director, Institute for Financial Market Regulation. In addition to her work in academia, Professor Chung previously served as a Branch Chief in the Enforcement Division of the Securities and Exchange Commission and as a partner at a large Boston-based law firm.
Christine Chung