A stream of cybersecurity enforcement actions have now begun to flow from the New York State Department of Financial Services (DFS), including pursuant to its cybersecurity regulation known as “Part 500.” See 23 N.Y.C.R.R. §500 et al. Regulated entities and cybersecurity practitioners should take note as the agency fashions regulatory expectations and signals that more enforcement is on the way.
First issued in March 2017, Part 500 contains a two-year implementation period intended to permit regulated entities to design and implement the required “robust” cybersecurity program. DFS took a patient regulatory approach during the interim period, encouraging firms to enact an adequate cybersecurity program and cheerleading for cybersecurity generally. See Matthew L. Levine, “Anticipating the First Cybersecurity Action from NYDFS,” New York Law Journal (Jan. 6, 2020).