First-in-the-Nation Cybersecurity Regulation Coming Soon for Companies Covered by Banking, Insurance, and Financial Services Laws

First-in-the-Nation Cybersecurity Regulation Coming Soon for Companies Covered by Banking, Insurance, and Financial Services Laws

Posted on Oct 18, 2016

If your company is a regulated financial institution, you need to know about the new cybersecurity regulation that is proposed to go into effect on January 1, 2017.

In September 2016, Governor Cuomo announced a proposed regulation to protect New York State from cyber-attacks. The rule has many specific requirements that are meant to protect consumer data and financial systems from terrorists and other criminals. Here’s what you need to know.

Will this regulation affect my company?

If you operate or are required to operate under a license, registration, or similar authorization under the banking law, insurance law, or the financial services law in New York State this applies to your business.

But you are exempt if all of the following apply to your business:

  1. It has fewer than 1,000 customers in each of the last 3 calendar years
  2. It has less than $5 million in gross annual revenue in each of the last 3 fiscal years
  3. It has less than $10 million in year-end total assets

Essentially, if you are an insurance or financial services company with 25 to 30 employees, this regulation will apply to you.

What key things do I need to know?

  • Proposed regulation is to be effective January 1, 2017.
    (The proposed regulation is subject to a 45-day notice and public comment period following the September 28, 2016 publication before its final issuance.)
  • Covered Entities have 180 days from the effective date to comply.
  • The regulation requires Covered Entities to:
    • Establish a cybersecurity program, which includes quarterly vulnerability assessments and other obligations
    • Adopt a written and verifiable cybersecurity policy (that covers at least 14 areas of cybersecurity and every single employee that has authorized access to your company’s data)
    • Designate a qualified Chief Information Security Officer
    • Be ready for audits
    • Include security policies in third-party service provider contracts

Why does the regulation affect my company if we’re not in New York?

“New York, the financial capital of the world, is leading the nation in taking decisive action to protect consumers and our financial system from serious economic harm that is often perpetrated by state-sponsored organizations, global terrorist networks, and other criminal enterprises,” said Governor Cuomo.

As a national and international leader, New York typically sets the standards for best practices—especially in the insurance field—that other states follow. Even if your company is not located in New York, if you do any business in New York, then you must comply.

How should I prepare?

  • Review the proposed regulation and related reports. (See Resources below.)
  • Identify any compliance gaps in your current policies, practices, and procedures.
  • Consider how to best fill in those gaps, given the nature and size of your business.

We’ll help you get compliant.

This new regulation has significant cybersecurity requirements. Feeling overwhelmed? We can help analyze your policies and procedures to fill in the compliance gaps. We can also make sure your cybersecurity liability and breach insurance are properly aligned with your processes. Call us soon to get started—the January 1st effective date is right around the corner.

Resources