As Hogan Lovells previously reported, the New York State Department of Financial Services has launched a significant initiative to impose detailed cybersecurity requirements on covered financial institutions. On February 16, NYDFS issued its Final Rules, following the initial proposed rules published in September 2016 and two rounds of feedback via industry complaints and public comment. The Final Rules set forth requirements for a risk-based approach to cybersecurity, and include expectations for reporting on cybersecurity risks and events to senior management and NYDFS.
The New York Department of Financial Services just issued major revisions to the cybersecurity regulations for financial institutions that were due to come into effect on January 1, 2017. To allow covered institutions more time to implement the rules, the effective date will now be March 1, 2017, with a series of staggered implementation dates beyond this. There are several notable substantive changes in the revised rules.
On September 12, New York Governor Andrew Cuomo broke new ground in proposing a state-level regulation that would require banks, insurance companies, and other financial services entities regulated by the New York Department of Financial Services to establish formal cybersecurity programs.
On November 9, 2015, Anthony Albanese, Acting Superintendent of the New York State Department of Financial Services, issued a letter to a wide array of federal and state financial services regulators that are part of the Financial and Banking Information Infrastructure Committee. The FBIIC members work together to enhance the reliability and security of financial sector infrastructure. Mr. Albanese’s letter outlines potential new cybersecurity regulations that would impact NYDFS-regulated financial institutions. The letter, which follows numerous steps taken by the NYDFS in recent years to better understand and mitigate cybersecurity risks, further positions the NYDFS as a leading regulator on cybersecurity issues in the U.S., particularly with respect to the financial sector. While no precise timeline was specified for enacting the potential regulations outlined, it appears likely that the NYDFS may formally propose comprehensive cybersecurity regulations in the months ahead.