22 September 2016
On September 13, 2016, the New York Department of Financial Services ("DFS") proposed new and unprecedented regulations establishing minimum cybersecurity regulatory requirements (the "Proposed Regulations"). The Proposed Regulations demonstrate that cybersecurity continues to be a top priority for the DFS and signal that the DFS intends to vigorously enforce compliance with minimum cybersecurity standards. The Proposed Regulations would require each entity licensed by the DFS ("Covered Entity") to establish an enhanced cybersecurity program, adopt written cybersecurity policies, and file an annual certification of compliance ("Certification") to be provided by the board of directors or Senior Officers of each Covered Entity. The required Certification leaves little doubt that the new regulations will soon be an examination and enforcement priority for the DFS.
The Proposed Regulations are subject to a 45-day notice and public comment period before final issuance. If adopted, the Proposed Regulations would be effective on January 1, 2017, with a 180-day transitional period during which Covered Entities would be required to conform to the new regulatory requirements. The first Certification would be due in January 2018.