S4 | MONDAY, NOVEMBER 14, 2016 | Litigation | NYLJ.COM
NYDFS Cybersecurity Requirements
For Financial Services Companies: Are You Prepared?
BY ROBERT D. OWEN, MATT GATEWOOD
AND TREVOR J. SATNICK
The threat of a data breach has reached all industry sectors in the last decade. In the  nancial sector alone, there were 1,368 con rmed data breaches in 2015 with
con rmed data loss in 795 of those breaches.1 While 47 states have implemented some form of a data breach noti cation law, these primar- ily reactive laws focus on post-breach require- ments such as noti cation to customers and the provision of credit monitoring services. New York is attempting to create a more pro- active regime.
In September 2016, the New York Depart-
ment of Financial Services (NYDFS) proposed “Cybersecurity Requirements for Financial Services Companies” (the Requirements). Fol- lowing a 45-day notice and comment period, the regulation is set to become effective on Jan. 1, 2017. The proposal would proactively require “Covered Entities” and third parties to enact a uniform, structured set of minimum cybersecurity requirements, eschewing typi-
cal state and federal statutory language that requires an entity merely to enact “reasonable policies and procedures.”
The Requirements focus on proper pro- tection of nonpublic information (NPI) by the Covered Entities. Covered Entities are de ned as “any Person operating under or required to operate under a license, registra- tion, charter, certi cate, permit, accreditation or similar authorization under the banking law, the insurance law, or the  nancial ser- vices law.” While it does not appear that the Requirements create a private right of action, the NYDFS Superintendent will have enforce- ment authority. Also,  ling an improper or inaccurate now-required annual policy cer- ti cation may open the door to increased organizational liability and could even result in personal liability for members of the board of directors or for the certifying of cer.
Existing state cybersecurity statutes and pending legislation focus on three areas. First, states have enacted data breach stat- utes focused on post-breach noti cation and recovery. Second, states have enacted stat- utes allowing for funding of cybersecurity task forces and panels that release nonbinding recommendations and strategies for various industries. Third, some states have focused on internal government agency cybersecurity requirements, but have not extended these to the private sector.
While few states require that organizations meet particular standards when handling per- sonally identi able information, the NYDFS Requirements would govern NPI generally held by the Covered Entity. Covered Entities not otherwise exempt must also adhere to strict quantitative minimums imposed throughout the Requirements. Speci c exemp- tions only apply to Covered Entities with (1) fewer than 1,000 customers in each of the last three years, (2) less than $5 million in gross annual revenue in each of the last three years, and (3) less than $10 million in year-end total assets. These exemptions are also limited in scope. For example, no Covered Entity will be exempt from establishing a cybersecurity policy. For those Covered Entities not exempt, the Requirements set forth 14 speci c areas that each Covered Entity must address in its written cybersecurity policy. The policy will be reviewed by the Covered Entity’s board of directors (or equivalent governing body)2 and then must be approved by a Senior Of cer. This process must be undertaken at least on annual basis.3 The cybersecurity policy, how- ever, is only one part of a 14-part cybersecu- rity program, which focuses on the industry’s
ROBERT D. OWEN is a partner at Sutherland Asbill & Brennan in New York. MATT GATEWOOD is a partner in the  rm’s Washington, D.C. o ce, and TREVOR J. SATNICK is a data privacy and security consultant in the New York o ce.
SHUTTERSTOCK