New York State’s powerful financial regulator, the Department of Financial Services (DFS), has recently grabbed the cybersecurity spotlight by issuing a first-in-the-nation cybersecurity regulation, which went into effect on 1 March 2017.
The regulation is a game changer for directors with responsibility over any financial institutions (including banks, trusts and insurance companies, referred to here as covered entities) that are required to operate under a licence, registration, or similar authorisation under New York’s Banking Law, Insurance Law or Financial Services Law. Although the regulation does not directly apply to national banks and federal branches of foreign banks, it does apply for example to New York-licensed lenders and branches of foreign banks. Because it applies regardless of where the institution is domiciled, the regulation’s impact is being felt around the world. It is groundbreaking in several respects.
First, it is a mandatory regulation, as opposed to ‘guidance’, that requires covered entities to establish a cybersecurity programme designed to protect the confidentiality, integrity and availability of the institution’s information systems and nonpublic information. Although the DFS does not spell out specific fines or penalties associated with violations, the regulation provides that it will be enforced pursuant to DFS authority ‘under any applicable laws’.