“Finance is, arguably, the most regulated industry in the world.”[1] A significant regulation on the finance industry in New York State is 23 NYCRR 500, titled “Cybersecurity Requirements for Financial Services Companies.”[2] This regulation lays out various requirements that financial institutions must meet in order to ensure the safety of any nonpublic information and proper security from cyberattacks.[3] It is touted as “first of its kind” in terms of regulating cybersecurity in the United States.[4] However, there are those who say that the many regulatory standards governing the finance industry have increased the difficulty and cost of compliance, thus necessitating a harmonization of industry standards and streamlining of the cybersecurity process.[5]
Although the regulation came into effect on March 1, 2017, it allows for several transitional periods, which allow financial institutions time to implement many of the regulatory requirements.[6] On February 15, 2018, one of the major deadlines passed, by which point financial institutions were required to begin certification of their compliance under 23 NYCRR 500.17(b).[7] The regulation requires that either a board member or senior officer of the regulated entities annually “certify that the company is in compliance with the security requirements established by the [New York State D]epartment [of Financial Services]” (“DFS”).[8] The significance of this deadline is that there is now an individual who has signed the certification of compliance and may be held responsible should something not meet the regulatory standards – with a potential for liability of up to $75,000 per violation per day.[9]
The next transitional period will end on March 1, 2018.[10] By then, regulated entities will be required to include several new features in their compliance program, including the requirement to (1) have the Chief Information Security Officer provide written annual reports to the board of directors or governing body of the regulated entity,[11] (2) implement proper monitoring and testing procedures to assess the effectiveness of the entity’s cybersecurity program,[12] (3) conduct periodic risk assessments to detect any issues in the design of the cybersecurity program,[13] (4) implement the use of effective controls, such as multi-factor authentication, to prevent unauthorized access to nonpublic information or other information systems,[14] and (5) regularly provide cybersecurity training for its personnel, with updates tailored to the risks identified in the entity’s risk assessment.[15]
After March 1, 2018, there are two more transitional periods that remain.[16] There is the eighteen-month transitional period ending on September 3, 2018, as well as a two-year transitional period ending on March 1, 2019, by when all the regulatory requirements of 23 NYCRR 500 must be implemented by the regulated entities.[17]
Although implementing the new regulatory requirements may be difficult and costly for financial institutions, they are necessary to help improve the cybersecurity of financial institutions, given the increasing integration of finance with technology.[18] With this regulation in place, those working with financial institutions, whether they are businesses or individuals, can feel more secure in the privacy of their personal information.[19] While there may be room for streamlining of the compliance process, this regulation is a strong first step in the direction of cybersecurity in finance.
[1] Industries We Serve, Deeper Solutions, https://www.deepersolutions.net/industries (last visited Feb. 19, 2018).
[2] N.Y. Comp. Codes R. & Regs. tit. 23, § 500 (2018).
[3] See id.
[4] Nicole Shu & Cyril Korenbeusser, How New York Cyber-Regulation is Changing the Financial Industry?, Wavestone (July 7, 2017), https://www.wavestone.com/app/uploads/2017/07/Wavestone-Cyber-priorities-in-a-nutshell_VE.pdf.
[5] Josefa Velasquez, Latest NY Cybersecurity Deadline for Banks, Insurers Takes Effect, Law.com (Feb. 15, 2018), https://www.law.com/newyorklawjournal/sites/newyorklawjournal/2018/02/15/latest-ny-cybersecurity-deadline-for-banks-insurers-takes-effect/.
[6] See N.Y. Comp. Codes R. & Regs. tit. 23, § 500 (2018); Key Dates under New York’s Cybersecurity Regulation (23 NYCRR Part 500), Department of Financial Services, http://www.dfs.ny.gov/about/cybersecurity.htm (last visited Feb. 20, 2018).
[7] See N.Y. Comp. Codes R. & Regs. tit. 23, §§ 500.17(b), 500.21 (2018); Department of Financial Services, supra note 6.
[8] Josefa Velasquez, supra note 5; see also N.Y. Comp. Codes R. & Regs. tit. 23, §§ 500.17(b), 500.21 (2018).
[9] John Herzfeld & George Lynch, Looming N.Y. Cybersecurity Deadline Puts Pressure on Companies, Bloomberg BNA (Feb. 12, 2018), https://www.bna.com/looming-ny-cybersecurity-n57982088661/.
[10] See N.Y. Comp. Codes R. & Regs. tit. 23, § 500.22 (2018); Department of Financial Services, supra note 6.
[11] See N.Y. Comp. Codes R. & Regs. tit. 23, § 500.04(b) (2018).
[12] See id. § 500.05.
[13] See id. § 500.09.
[14] See id. § 500.12.
[15] See id. § 500.14(b).
[16] See id. § 500.22; Department of Financial Services, supra note 6.
[17] See N.Y. Comp. Codes R. & Regs. tit. 23, § 500.22 (2018); Department of Financial Services, supra note 6.
[18] See Josefa Velasquez, supra note 5; Ryan Browne, Everything You’ve Always Wanted to Know About Fintech, CNBC (Oct. 2, 2017, 3:12 AM), https://www.cnbc.com/2017/10/02/fintech-everything-youve-always-wanted-to-know-about-financial-technology.html.
[19] See generally N.Y. Comp. Codes R. & Regs. tit. 23, § 500 (2018).