On February 16, 2017, the New York State Department of Financial Services issued its final cybersecurity regulation for financial services companies. The final regulation, which takes effect March 1, 2017, requires banks, insurance companies, and other financial services institutions regulated by the NYSDFS to establish and maintain a cybersecurity program designed to protect consumers' private data based on an assessment of its risk profile. The NYSDFS initially proposed the regulation in September 2016 and then revised and re-proposed the regulation in December 2016. The final rule requires that the program be adequately funded and staffed, overseen by qualified management, and reported on periodically to the most senior governing body of the organization. Additionally, the officer of each covered financial services companies must annually certify their compliance to the NYSDFS. The final rule contains several changes from the original proposal including clarification on the ability of a covered financial services company to rely on an affiliate's cybersecurity program to satisfy the rule and expanded exemptions including for entities with limited activities in New York.
The final rule is available at: http://www.dfs.ny.gov/legal/regulations/adoptions/rf23-nycrr-500_cybersecurity.pdf.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.