New York Imposes New Cybersecurity Regulations featured image

New York Imposes New Cybersecurity Regulations

by John DiGiacomo

Partner

Data Breach

Effective January 1, 2017, banks, financial institutions, and insurance companies in New York will be required to comply with new cybersecurity regulations. The New York cybersecurity regulations are closely aligned with the Center of Internet Safety’s 20 CIS Controls. The CIS controls are the industry standard when it comes to cybersecurity and threat prevention. New York, being the home of Wall Street and many financial services providers, took the initiative to impose cybersecurity best practices on the industry that so many Americans depend on, as the number of cybersecurity data breaches affecting business and financial service providers has been increasing. We’ve written extensively on this blog about the increase in data breaches and third-party data risks.

Key Provisions of the New York Cybersecurity Regulations

A few of the provisions that are particularly important include:

  • Financial Service Providers Must Develop Cybersecurity Programs and Policies. All financial service providers that the new regulations apply to will be required to develop and implement a cybersecurity program, under Section 500.02 of the new regulations, and policy, under Section 500.03 of the new regulations, within 180 days of the regulations taking effect. The cybersecurity program is meant to ensure that the information systems of covered financial services providers is available, confidential, and resistant to attack. The cybersecurity policy is meant to provide the financial services providers with a framework on handling cybersecurity issues and risk prevention.
  • Appoint a Dedicated Chief Information Officer. Financial services providers under Section 500.04 of the new regulations must appoint a dedicated Chief Information Security Officer who is tasked with overseeing and implementing the company’s cybersecurity policies and programs.
  • Hire Dedicated Cybersecurity Personnel and Intelligence. Covered financial services providers must hire dedicated cybersecurity personnel tasked with managing the company’s cybersecurity programs. These dedicated employees must receive regular cybersecurity training, and must stay up to date on the ever-changing landscape of cyber security.
  • Systems Will Be Subjected to Penetration Testing, Vulnerability Assessments, and Risk Assessments. Covered entities’ information systems will be subjected to regular penetration testing (at least once annually), vulnerability assessments (at least quarterly) and cybersecurity risk assessments (at least once annually).
  • Implementation of Multi-Factor Authentication. Covered entities must implement systems that utilize multi-factor authentication for gaining access to secure information systems.
  • Financial Services Providers Must Maintain an Audit Trail. Covered entities must develop and implement an audit trail system that tracks and maintains data that makes it possible for the company to complete a reconstruction of a breach or attack on their systems. The system must log authorized user access to the system and protect against hacking, tampering or interference with the system.
  • Policies for Third Parties With Access to Covered Entities’ Systems. In situations where third parties have access to a covered entity’s information systems, the covered entity are required to develop policies that govern the third parties’ access to the system. Covered entities must hold third parties accountable for complying with the company’s cybersecurity policies.

Contact a Data Breach Attorney

The New York cybersecurity regulations for financial services providers is just one recent example of how the area of cybersecurity is constantly changing. Revision Legal consistently stays at the forefront of this change and can help you and your business with compliance and notification laws. Revision Legal works with entities in all fifty states to handle a wide array of cybersecurity issues. Contact the experienced data breach attorneys at Revision Legal using the form on this page or call us at 855-473-8474.

Photo credit to Flickr user julio lima.

 

Extra, Extra!
Recent Posts

Worrying About SaaS Agreements and Cross-Border Data Transfers

Worrying About SaaS Agreements and Cross-Border Data Transfers

Internet Law

When your business is contemplating a software-as-a-service (“SaaS”) agreement, there are a large number of considerations. An SaaS agreement is, of course, a subscription service where a software package is centrally hosted and accessed by a SaaS company’s customers. Issues to be aware of include: As important as the foregoing issues are, one often overlooked […]

Read more about Worrying About SaaS Agreements and Cross-Border Data Transfers

FAQs About Legal Services for Social Media Influencers, Bloggers, and Online Content Creators

FAQs About Legal Services for Social Media Influencers, Bloggers, and Online Content Creators

Internet Law

If you are serious about your career as a social media influencer, blogger, and/or online content creator, you ARE going to need legal services at some point. Online creation is big business now, and big business means the need for legal services. The Internet and Social Media Attorneys at Revision Legal are here to help. […]

Read more about FAQs About Legal Services for Social Media Influencers, Bloggers, and Online Content Creators

Take it Down Act: Ban on “Revenge Porn” Goes National

Take it Down Act: Ban on “Revenge Porn” Goes National

Internet Law

Congress recently passed the Take It Down Act (“TIDA”), and the law was signed by the President in mid-May 2025. See AP media report here. Interestingly enough, “Take It Down” is an acronym for “Tools to Address Known Exploitation by Immobilizing Technological Deepfakes on Websites and Networks Act.” TIDA prohibits what is commonly called “revenge […]

Read more about Take it Down Act: Ban on “Revenge Porn” Goes National

Put Revision Legal on your side