NY Department of Financial Services Proposes New Cybersecurity Rules

In September of 2016, the NY Department of Financial Services (the “DFS”) proposed rules to require anyone operating under the NY banking law, insurance law or financial services law (a “Covered Entity”) to adopt a cybersecurity program and a cybersecurity policy, to appoint a chief information officer (a “CIO”), to do penetration and vulnerability testing, to quickly report incidences and to meet certain other requirements. Small firms – those with fewer than 1000 customers, less than $5 million in gross annual revenues AND less than $10 million in total assets – are exempt from the requirement to have a CIO and certain other provisions, but not from the basic program and policy requirements.  See the proposed rules, here.  The DFS states that it is very concerned with the cybersecurity threats that have become evident in the recent past, and there are many who welcome the rules to add to what the federal government is doing on cybersecurity.  But others are concerned that there may have been insufficient discussion with those responsible for cybersecurity at such firms and insufficient deference to what firms are doing already to protect confidential information.  Moreover, the proposed rules could mean that small firms may find the burdens of complying very great.