What Will The Proposed New York Cybersecurity Requirements For Financial Institutions Really Make Companies Do?
January 23, 2017
Authored by: David Zetoony
In early September 2016, the New York Department of Financial Services (“DFS”) proposed a set of data security regulations (the “Proposal”) that would govern financial institutions, banks, and insurance companies subject to the jurisdiction of the agency (“covered entities”). After receiving public comments, DFS revised and resubmitted the Proposal on December 28, 2016. If the Proposal ultimately goes into effect it would require that covered entities have a written information security policy (“WISP”) and outline specific provisions (substantive and procedural) that must be contained in that document. While the Proposal has garnered a great deal of public attention, the majority of the provisions in the latest version are not unique.
Prior to the Proposal at least four states already required that if a company collected financial information about consumers within their jurisdiction some, or all, of the company’s security program must be reduced to writing; three states required that an employee be specifically designated to maintain a security program. More importantly, the Federal Gramm Leach Bliley Act (“GLBA”) contains broad requirements that mimic many of the Proposals provisions. This includes, for example, the requirement that a financial institution conduct a risk assessment and maintain data breach response procedures.