Lawyers who represent insurance companies, banks, insurance agents and other financial institutions in New York should be aware of new Department of Financial Services (DFS) cybersecurity regulations that become effective Jan. 1, 2017. The new DFS cybersecurity regulations require covered entities, including insurance companies, mortgage brokers, insurance agents and banks, to appoint a chief information security officer (CISO) and to develop a comprehensive cybersecurity program in order to prevent hacking and other data breaches.1 In addition, the new DFS regulations will require the filing of an annual cybersecurity report, which must explain the state of the company’s compliance with the new regulations, identify any soft spots or potential areas for improvement, and be signed and certified by the company’s board chair or CEO.2 The new regulations are codified at 23 NYCRR §500.0 and can be found at the DFS website, http://www.dfs.ny.gov/legal/regulations/proposed/rp500t.pdf.
This article will explain the new DFS regulations as proposed at the time of writing, and discuss their implications for law firms that represent financial institutions doing business in New York. Since the cybersecurity regulations are subject to a 45-day commentary period, there is a possibility that they could be subject to further revisions by the time of implementation.
