Effective 1 January 2017, the New York State Department of Financial Services (DFS) is expected to implement new cyber security requirements which require regulated financial companies doing business in New York to adopt comprehensive written programmes and procedures to prevent data breaches and other cyber security events. The new cyber security regulations affect any licensed entity doing business under the New York Banking Law, Insurance Law, or Financial Service Law, including insurance carriers, banks, insurance agents, consumer lenders, mortgage brokers and other entities under DFS jurisdiction. This regulation may signal a potential wave of cyber security requirements imposed by financial industry regulators. Since most financial firms do business in New York, the implications of the DFS cyber security regulations can be expected to be broad-reaching. And while Massachusetts has recently enacted a law requiring all businesses to encrypt confidential personal information stored on portable devices or transmitted electronically where technically feasible, New York’s regulations are directed specifically toward the financial services industry.

Under the new cyber security regulations, each financial services company operating in New York “shall establish and maintain a cybersecurity program to ensure the confidentiality, integrity and availability of the covered entity’s information systems”. The DFS regulations further require each cyber security programme to identify internal and external cyber risks, develop and implement defensive infrastructure to protect the company’s information system, detect cyber security events and fulfil regulatory reporting obligations.

Jan-Mar 2017 issue

Mound Cotton Wollan & Greengrass LLP

OneBeacon Insurance Group