Latest NY Cybersecurity Deadline for Banks, Insurers Takes Effect
Feb. 15 marked the second major deadline for the state agency's cybersecurity regulations, which requires banking and insurance companies doing business in New York to comply with groundbreaking rules aimed at deterring cyberattacks. A board member or senior officer at DFS-regulated entities has to certify that the company is in compliance with the security requirements established by the department, and must submit certification annually from now on.
February 15, 2018 at 02:54 PM
4 minute read
ALBANY - Beginning Thursday, banking and insurance companies regulated by the New York Department of Financial Services had to file their first annual certification of compliance with the department's cybersecurity regulations, which are expected to have national and global impact.
Feb. 15 marked the second major deadline for the state agency's cybersecurity regulations, which requires banking and insurance companies doing business in New York to comply with groundbreaking rules aimed at deterring cyberattacks. A board member or senior officer at thousands of DFS-regulated entities has to certify that the company is in compliance with the security requirements established by the department, and must submit certification annually from now on.
Mark Krotoski, a California-based partner at Morgan, Lewis & Bockius who advises clients on cybersecurity and privacy issues, said today's deadline is “very significant in terms of the implementation” of the regulations.
“The signature actually certifies that either the board of directors or a senior officer has reviewed relevant documents, reports and opinions of individuals inside [the company] or outside vendors and they are complying with the regulation. That's significant not only under this regulation, but this is one of the first entities to impose these requirements,” Krotoski said in an interview Thursday.
The regulations are slated to have far-reaching impact on financial services and insurers that do business in New York “because New York is obviously a very important place for commerce,” Krotoski said. “This affects many large financial institutions in the U.S. and foreign entities with presence in New York.”
With the compliance certification in place, “everyone is watching” what the enforcement actions by DFS will look like, Krotoski added.
In a statement to the New York Law Journal, DFS Superintendent Maria Vullo said that the compliance certification is a “critical governance pillar for the cybersecurity program of all DFS-regulated entities.”
“DFS's regulation requires each entity to have an annual review and assessment of the program's achievements, deficiencies and overall compliance with regulatory standards and the DFS cybersecurity portal will allow the safe and secure reporting of these certifications,” she added.
Vullo said the DFS' goal is to prevent cybersecurity attacks by making sure that proper precautions are taken by the banks, insurers and credit reporting agencies the department regulates. “As DFS continues to implement its landmark cybersecurity regulation, we will take proactive steps to protect our financial services industry from cybercriminals.”
The rules established in March require that financial services companies regulated by the DFS have state-approved plans to deter cyberattacks and report any attacks to the state agency within 72-hours of when they occur.
Today's deadline by the DFS is a “formal declaration” that companies regulated by the department are in compliance with the regulations, said Steven Grossman, the vice president of strategy at Bay Dynamics, a cybersecurity company that recently relocated from San Francisco to New York.
“Today's deadline doesn't change anything on the ground,” Grossman said in an interview. “What it changes is that you have a signature on paper stating that they're in compliance.” The deadline “puts someone's feet to the fire” to uphold that the company is in compliance, Grossman added.
Krotoski said that despite the phased in approach to the regulations, there are still growing pains. He said that the challenge being raised by clients is that there are “many different standards with regulators” and that efforts to comply with all of the different rules put in place by regulators is “costly and cumbersome.” Hopefully the “process becomes more harmonized and streamlined,” he added.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllFor Safer Traffic Stops, Replace Paper Documents With ‘Contactless’ Tech
4 minute readNYC's Administrative Court's to Publish Some Rulings in the New York Law Journal Is Welcomed. But It Should Go Further
4 minute readRulings From NYC's Administrative Law Court to Be Published in the Law Journal
Trending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250