United States: NYDFS Proposes Revisions To Cybersecurity Requirements

The New York Department of Financial Services ("NYDFS") proposed revisions to cybersecurity rules, which apply to a wide range of insurance, banking and financial services companies ("Covered Entities") under its supervision. The cybersecurity rules require Covered Entities to adopt robust cybersecurity programs in order to protect sensitive and confidential data from theft by cybercriminals.

The proposed revisions would require Covered Entities to develop cybersecurity programs, policies and risk assessments, and would mandate that a Covered Entity must appoint a Chief Information Security Officer ("CISO") to be responsible for the oversight, implementation and enforcement of the cybersecurity program and policies. The proposed revisions also would enhance certain technical security, recordkeeping, compliance and reporting requirements. Additionally, the proposed revisions would require the Covered Entities themselves to impose cybersecurity requirements on any third-party service provider that has access to the information systems or nonpublic information of a Covered Entity.

In a recent memorandum, Cadwalader attorneys observed that the proposed revisions reflect NYDFS's strong belief that "time is of the essence regarding cybersecurity protections." The attorneys emphasized that failure to comply with the proposed revisions could result in enforcement actions by NYDFS.

The proposed revisions will become effective on March 1, 2017 after a 30-day notice and public comment period.

Click here to view the Cadwalader Memorandum authored by Joseph Facciponti, John Moehringer and Howard Wizenfeld.

Commentary / Joseph Facciponti

It remains unclear at this point how aggressively NYDFS will seek to penalize Covered Entities that fail to comply with the Revised Rules, but it is the Superintendent's view that cybersecurity is an area in which New York State should take the lead. In the past, NYDFS has imposed steep fines on Covered Entities (and/or demanded the termination of compliance officers) that allegedly failed to implement and maintain appropriate policies and procedures in other contexts, such as that of anti-money laundering compliance programs.

Accordingly, the Revised Rules create new areas of uncertainty and potential liability for Covered Entities and their boards, senior officers and CISOs. Moreover, third-party service providers, including professional services firms, may face clients' demands that they adopt appropriate cybersecurity compliance programs.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.