The New York State Department of Financial Services has promulgated 17 new cybersecurity regulations which apply to regulated entities doing business in New York.  The new DFS rules apply to all entities under its jurisdiction, including insurance companies, insurance agents, banks, charitable foundations, consumer lenders, mortgage brokers, holding companies and premium finance agencies.

These regulations require encryption of all non-public information held or transmitted by the covered entity, require each regulated company to promulgate a written cybersecurity program, and appoint a chief information security officer (“CISO”), who must report directly to the board of directors and issue an annual report, setting forth an assessment of the company’s cybersecurity compliance and any identifiable risks for potential breaches. See New York 23 NYCRR Section 501 et. sec..