Group of professionals discuss finance

Breaking news and expert analysis on legal and compliance issues

[Back To Home][Back To Archives]

From Banking and Finance Law Daily, February 17, 2017

New York’s financial services industry cybersecurity reg takes effect March 1

By J. Preston Carter, J.D., LL.M.

New York State’s "first in the nation" cybersecurity regulation takes effect March 1, 2017, Governor Andrew M. Cuomo announced. The regulation, intended to protect New York’s financial services industry and consumers from cyber-attacks, requires banks, insurance companies, and other financial services institutions regulated by the Department of Financial Services to establish and maintain a cybersecurity program designed to protect consumers’ private data and ensure the safety and soundness of New York’s financial services industry.

"New York is the financial capital of the world, and it is critical that we do everything in our power to protect consumers and our financial system from the ever increasing threat of cyberattacks," Cuomo said. "These strong, first-in-the-nation protections will help ensure this industry has the necessary safeguards in place in order to protect themselves and the New Yorkers they serve from the serious economic harm caused by these devastating cyber-crimes."

The final risk-based regulation (23 NYCRR 500) includes certain regulatory minimum standards while encouraging firms to keep pace with technological advances. The regulation provides protections to prevent and avoid cyber breaches, including:

  • controls relating to the governance framework for a robust cybersecurity program including requirements for a program that is adequately funded and staffed, overseen by qualified management, and reported on periodically to the most senior governing body of the organization;
  • risk-based minimum standards for technology systems including access controls, data protection including encryption, and penetration testing;
  • required minimum standards to help address any cyber breaches including an incident response plan, preservation of data to respond to such breaches, and notice to the DFS of material events; and
  • accountability, by requiring identification and documentation of material deficiencies, remediation plans, and annual certifications of regulatory compliance to the DFS.

The regulation was proposed last September and updated in December (see Banking and Finance Law DailySept. 13, 2016, and Dec. 29, 2016).

MainStory: TopStory CyberPrivacyFeed IdentityTheft NewYorkNews Privacy StateBankingLaws

Back to Top

Banking and Finance Law Daily

Introducing Wolters Kluwer Banking and Finance Law Daily — a daily reporting service created by attorneys, for attorneys — providing same-day coverage of breaking news, court decisions, legislation, and regulatory activity.


A complete daily report of the news that affects your world

  • View full summaries of federal and state court decisions.
  • Access full text of legislative and regulatory developments.
  • Customize your daily email by topic and/or jurisdiction.
  • Search archives for stories of interest.

Not just news — the right news

  • Get expert analysis written by subject matter specialists—created by attorneys for attorneys.
  • Track law firms and organizations in the headlines with our new “Who’s in the News” feature.
  • Promote your firm with our new reprint policy.

24/7 access for a 24/7 world

  • Forward information with special copyright permissions, encouraging collaboration between counsel and colleagues.
  • Save time with mobile apps for your BlackBerry, iPhone, iPad, Android, or Kindle.
  • Access all links from any mobile device without being prompted for user name and password.