The day has finally arrived for the financial services industry in New York. The new cybersecurity regulations issued by the New York State Department of Financial Services are officially in force, after a 180-day grace period that followed the effective date of the regulations, March 1, 2017. These regulations, found at 23 N.Y.C.R.R. Part 500, mark a watershed moment in cybersecurity regulation in the United States. For the first time, a single state is regulating cybersecurity on a potentially global scale, and it has done so via the regulatory process, not legislative action.
These two developments change the landscape of cybersecurity regulation in two very distinct ways. First, by focusing on a global industry regulated within the state, Part 500 magnifies the potential reach of a state regulatory body immensely. Part 500 impacts not only covered financial institutions (defined as Covered Entities), but also third parties located around the world that provide services to these institutions. This is because of the defined Third Party Service Provider Security Policy required by Part 500, under which a Covered Entity must set certain “minimum cybersecurity practices” for every third party service provider doing business with the Covered Entity. It is perhaps because of this potential global reach that DFS attached a two-year phase-in period to the Third Party Service Provider Security Policy requirement.
