In September 2016, the New York State Department of Financial Services (the “NYDFS”) proposed new cybersecurity regulations (the “Proposed Rules”) for banks, insurance companies and other financial institutions regulated by the NYDFS (“Covered Entities”). In some respects, the Proposed Rules would go beyond existing federal-level cybersecurity requirements. For example, the Proposed Rules would require each Covered Entity to encrypt all Nonpublic Information (which is broadly defined), rather than allowing the entity to determine what data to encrypt based on a risk assessment, as is currently required. In addition, the Proposed Rules would require each Covered Entity to notify the NYDFS of certain cybersecurity events within 72 hours, which is a shorter timeframe than is required under existing state and federal data breach notification rules. The Proposed Rules would also impose entirely new requirements. For example, on an annual basis, the board of directors or a senior officer of each Covered Entity would be required to certify to the NYDFS that the Covered Entity is in compliance with the Proposed Rules. This annual certification requirement potentially imposes personal liability for boards of directors or senior officers signing such certification.
This client memorandum summarizes the Proposed Rules' requirements, describes the most concerning provisions for Covered Entities, and compares the requirements to those in other federal and state cybersecurity and data breach frameworks and rules.