United States: Cadwalader Attorneys Prepare For New NYDFS Cybersecurity Rules
Last Updated: September 20 2017

New York Department of Financial Services ("DFS") cybersecurity rules went into effect on August 28, 2017 (see  previous coverage).

In a  memorandum, the attorneys reviewed the new requirements under the "first-in-the-nation" rules, concluding that "failure to comply will place 'Covered Entities' – and, potentially, their employees, managers, and directors – at risk of enforcement actions and penalties."

As outlined in the memorandum, "covered entities" include natural persons or businesses "operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization" under New York banking, insurance and financial services laws. The attorneys stated that New York branches of out-of-state domestic banks are exempted from the rules, and that limited exemptions exist for certain covered entities.

As of August 28, compliance is required for the following provisions: (i) implementation of a cybersecurity program and a written cybersecurity policy or policies approved by the board of directors of the entity or its senior officer, (ii) designation of "Chief Information Security Officer" to protect data and systems and retain cybersecurity personnel to monitor cyber threats and countermeasures, (iii) periodic review and application of appropriate limitations to confidential data and computer networks, and (iv) submission of notices of certain cybersecurity events to the DFS Superintendent within 72 hours of any occurrence. The attorneys prepared a visual brief that highlights relevant compliance dates.

The Cadwalader memorandum was authored by  Joseph Moreno John Moehringer and Joseph Facciponti.

Commentary / Joseph V. Moreno

The DFS has a reputation as being a tough regulator that has imposed harsh penalties on financial institutions and their employees for failing to adopt robust compliance programs addressing other forms of financial crime, such as money laundering and sanctions violations. Although it is not yet clear how strictly the DFS will enforce the new cybersecurity rules, DFS Commissioner Maria Vullo has declared cybersecurity to be a high priority and vowed that "[r]egulated entities will be held accountable" for failing to safeguard customer information. Accordingly, insurance companies, banks, and other financial services companies regulated by the DFS should consult with counsel regarding their cybersecurity programs in light of these strict new rules.


To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

In association with
Press Releases from this Firm
Recent Content from this Firm
By Cadwalader, Wickersham & Taft LLP
By Cadwalader, Wickersham & Taft LLP
By Cadwalader, Wickersham & Taft LLP
By Cadwalader, Wickersham & Taft LLP
By Cadwalader, Wickersham & Taft LLP
By Steven Lofchie
By David Quirolo, Jeremiah Wagner, Neil Macleod
By Cadwalader, Wickersham & Taft LLP
By Christian Larson
By Kyle DeYoung
Font Size: