New York State is Setting a New Precedent on Financial Cybersecurity Regulation

On March 1, 2017, Maria Vullo, Superintendent of Financial Services for the Department of Financial Services in the state of New York, promulgated Part 500 of Title 23 of the Official Compilation of Codes, Rules and Regulations of the State of New York, into law. This new regulation is more commonly referred to as the controversial NY state financial cybersecurity rule. Many financial institutions fought this rule vigorously because they view the bill as unprecedented, overly restrictive, and extremely costly for compliance.

The cybersecurity rule is aimed at regulating certain banks and financial institution that hold sensitive business and consumer information.  The rule requires covered financial institutions—entities subject to NYDFS authority under New York banking laws— to adopt detailed protection programs, policies, and procedures to protect their Information Systems from cybersecurity threats. Although the rule was promulgated on March 1, the timeframe for compliance requirements set forth in the rule will come in different stages. Covered institutions will have about six months from March 1^st to establish compliance with the rules. The first compliance deadline, August 28, 2017, requires covered financial institutions to be in compliance with the following: “the requirement to have a cybersecurity program and cybersecurity policies and procedures; the designation of a CISO; the access privileges requirement; the requirements relating to cybersecurity personnel and cybersecurity intelligence; the requirement for an incident response plan; and the requirement to provide notice of certain cybersecurity events to NYDFS and to document remedial efforts.” There are three more certification compliance dates, March 1, 2018, September 3, 2018, and March 1, 2019, so the covered financial institutions have exactly two years from the date of promulgation to implement compliance programs for the rule.  State officials implementing the law hope that the rule creates “certain regulatory minimum standards while encouraging firms to keep pace with technological advances.”

All aspects of the worlds are becoming increasingly digital, so New York’s move towards increased security measures does not come as a complete surprise. The increased regulations are a no-brainer for New York State Governor Andrew Cuomo who stated, “New York [City] is the financial capital of the world, and it is critical that we do everything in our power to protect consumers and our financial system from the ever increasing threat of cyber-attacks.” It appears the rule has support from New York officials across the board, as Superintendent Vullo has also stated, “New Yorkers must be confident that the banks, insurance companies and the other financial institutions that they rely on are securely handling and establishing necessary protocols that ensure the security and privacy of their sensitive personal information.”

The new rule is, apparently, the first of its kind says Cuomo, stating that “these strong, first-in-the-nation protections will help ensure this industry has the necessary safeguards in place” to protect businesses and clients “from the serious economic harm caused by these devastating cyber-crimes.”  Furthermore, no other state and no other federal agency has the kinds of mandatory standards.  Many commenters and covered institutions believe that these rules are overly excessive, especially the new standards calling for banks and insurers to heavily scrutinize security at third-party vendors providing them goods and services.  Smaller banks believe that the new rules are overbroad in a sense that the regulators have created a “one-size-fits-all approach,” because they have not taken into account the different circumstances for each bank and the risk profile of smaller banks.  Smaller banks believe that, since costs will be extremely high for compliance with the new rules, they will be at an extremely high competitive disadvantage.  It appears, however, that Vullo is not too worried about compliance issues because updates of the rule have allowed “an appropriate period of time for regulated entities to review the rule… and make certain that their systems can effectively and efficiently meet the risks associated with cyber threats.”  Although this new rule appears to set an elevated bar for cybersecurity regulation in the financial industry, given that we are living in an ever-expanding state of the digital age and, therefore, an increase in cyber-attack exposure, it leads one to believe that it will not be too much longer until other states, and even federal agencies, have new regulations of their own.