Cybersecurity: NY Adopts Final Regulations for Banks, Insurance Businesses and Other Financial Services Institutions

By Rajesh De, Jeffrey P. Taft, David A. Simon, Lawrence R. Hamilton, Steven M. Kaplan, Stephen Lilley, David L. Beam, David A. Tallman & Matthew Bisanz on March 21, 2017

Posted in Cybersecurity, Financial Services, Regulation, United States, US State Laws

On February 16, 2017, the New York State Department of Financial Services (“NYDFS”) finalized regulations that mandate cybersecurity standards for all institutions authorized by NYDFS to operate in New York, including many banks, insurance entities and insurance professionals doing business in New York. The final regulations, titled “Cybersecurity Requirements for Financial Services Companies,” implement a significantly revised version of the NYDFS’s September 13, 2016, proposal and became effective on March 1, 2017, with a phase-in period. In addition, the NYDFS issued frequently asked questions with corresponding answers on March 13, 2017 (the “FAQs”). This Legal Update (i) describes the relevant definitions and institutions affected by the final regulations, (ii) explains their substantive requirements and notes important points clarified in the FAQs and (iii) highlights some of the takeaways for the financial services industry.