As the consequences of recent, widely publicised data breaches and outright cyber attacks on financial institutions make clear, cyber security has rapidly become a central issue of corporate governance. Boards of directors and senior management of US financial firms can no longer view information security as an IT department-level concern, but must engage directly in matters of information security because of the potential for business and personal liability. If sound business practice were not reason enough for boards and senior management to become directly vested in cyber security at their firms, US regulators, at both the state and federal level, are now poised to make such involvement mandatory. Financial regulators are promulgating new cyber security regulations that require boards and senior management to assess, develop, implement and monitor information security risks, policies and procedures. This article examines two pending regulations – one New York State regulation and one US federal regulation – which are likely to have a broad impact on the financial sector, both across the US and abroad.

New York State has been among the leaders in the effort to regulate the protection of non-public personal and financial data. The New York State Department of Financial Services (NYDFS) announced a new set of regulations on 13 September 2016 – ‘Cybersecurity Requirements for Financial Services Companies’. After following a required comment period the regulations were revised on 28 december 2016, and are currently set to take effect from 1 March 2017, unless the regulations are again significantly altered in response to comments received or the NYDFS otherwise delays implementation. ‘Covered Entities’ – which includes most financial and insurance firms with operations in New York – will then have 180 days to come into compliance with this broad set of regulations.

Jan-Mar 2017 Issue

Otterbourg P.C.