The New York Department of Financial Services ("NYDFS") proposed revisions to cybersecurity rules, which apply to a wide range of insurance, banking and financial services companies ("Covered Entities") under its supervision. The cybersecurity rules require Covered Entities to adopt robust cybersecurity programs in order to protect sensitive and confidential data from theft by cybercriminals.
The proposed revisions would require Covered Entities to develop cybersecurity programs, policies and risk assessments, and would mandate that a Covered Entity must appoint a Chief Information Security Officer ("CISO") to be responsible for the oversight, implementation and enforcement of the cybersecurity program and policies. The proposed revisions also would enhance certain technical security, recordkeeping, compliance and reporting requirements. Additionally, the proposed revisions would require the Covered Entities themselves to impose cybersecurity requirements on any third-party service provider that has access to the information systems or nonpublic information of a Covered Entity.
In a recent memorandum, Cadwalader attorneys observed that the proposed revisions reflect NYDFS's strong belief that "time is of the essence regarding cybersecurity protections." The attorneys emphasized that failure to comply with the proposed revisions could result in enforcement actions by NYDFS.
The proposed revisions will become effective on March 1, 2017 after a 30-day notice and public comment period.