The New York State Department of Financial Services (“NYDFS”) recently announced the country’s first state regulations requiring the establishment and maintenance of cybersecurity programs for financial institutions - “Cybersecurity Requirements for Financial Services Companies.”
On December 28, 2016, the NYDFS published an updated version of the regulations and delayed implementation - originally proposed for January 1, 2017 – but now in effect since March 1, 2017. The revisions were likely a response to criticism and concerns raised by banking and insurance industry representatives and others that the original regulations did not distinguish between small and large financial institutions and are more rigid than the guidelines promulgated by FINRA and the FFIEC.
While the revised regulations allow for more flexibility, it remains a challenge for many financial institutions that have not developed a dedicated cybersecurity program. Many of the requirements are now based on a thorough Risk Assessment that includes assessing particular risks of business operations, in addition to IT operations, that relate to cybersecurity. This Risk Assessment must be regularly revisited to consider technological developments and evolving threats.
Please click here
to read our whitepaper on this regulation.