New York is Raising the Cybersecurity Bar

View Authors November 2017

Over the past couple years, entities operating in the US have been inundated with a patchwork of state and federally enforceable regulations, as well as non-binding "guidelines" or "recommendations." Under existing law in a handful of states, organizations are required to secure personal information for in-state residents, while other states require ensuring the security of any personal information, including that of non-residents. In the financial services sector, the developing body of enforceable regulations have centered around mandating sufficient security measures to protect personal financial information, transaction data and funds. Federal and state agencies, trade associations and professional organizations have also taken it upon themselves to publish their own respective cybersecurity guidelines.

Entering the fray of cybersecurity regulation, the New York Department of Financial Services (NYDFS) issued new cybersecurity rules for licensed entities. The NYDFS passed a cybersecurity rule – 23 NYCRR 500 (Part 500) – applicable to most banks, financial services entities and insurance entities licensed by the state[i], subject to certain exemptions. The regulations under this rule surpass the basic requirements under existing state cybersecurity statutes. Organizations governed by this state agency must now develop strong cybersecurity programs and implement specific security controls, policies and procedures to protect their information.

[i] A "Covered Entity is [any entity] operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law." 23 NYCRR Section 500.01(c).

This article was published in Thomson Reuters' FinTech Law Report: E-Banking, Payments and Commerce in the Mobile World in the September/October 2017 issue.