The New York Department of Financial Services (NYDFS) has proposed regulations that require all financial services businesses operating in New York to develop and maintain a comprehensive cybersecurity program. The regulations impose significant minimum cybersecurity requirements, and mandate board of director involvement and accountability. Covered businesses should immediately evaluate their existing cybersecurity programs against the NYDFS regulations and begin to develop a plan for full compliance.
What Businesses are Covered?
The NYDFS is a relatively recent amalgamation of New York’s banking and insurance departments and is sweeping in its jurisdiction. The proposed regulations apply to every business operating in New York that is required to have a “license, registration, charter, certificate, permit, accreditation or similar authorization” under New York’s banking insurance or financial services law.
While this includes banks and insurers, it also includes related businesses. Brokers, including mortgage and insurance brokers, as well as bail bond agents, check cashers, non-profit credit counselors and budget planners, licensed lenders, premium finance agencies, and others, are potentially subject to the regulations. (NYDFS supervised businesses are discussed here.)
There are limited exceptions for those covered businesses that meet all three of the following:
• fewer than 1000 customers in each of the last three calendar years;
• less than $5 million in gross annual revenue for each of the last three years; and,
• less than $10 million in year-end total assets (including all affiliates) as calculated in accordance with GAAP.
The Proposed Regulations
The regulations require that covered businesses develop comprehensive cybersecurity policies and plans that meet dozens of specific and technical requirements listed in the regulations.