New York State Department of Financial Services Announces Proposed Cybersecurity Regulations

September 19, 2016

On September 13, 2016, the New York State Department of Financial Services (“DFS”) proposed new cybersecurity regulations for financial services companies.  Announced by Governor Andrew Cuomo, the proposed regulations will require a broad set of regulated financial institutions–including state-licensed banks, savings banks, savings-and-loan associations, private bankers, insurance providers, virtual currency providers, money transmitters, licensed lenders, mortgage companies, and state-licensed offices of non-U.S. banks–to maintain cybersecurity programs with specific characteristics prescribed by DFS.  The proposed regulations are subject to a 45-day public comment period and are slated to become effective on January 1, 2017.[1]

The announcement of the proposed regulations is the latest development in DFS’s years-long effort to push the financial sector to better protect itself and its customers from cyber threats.  As early as 2013, DFS began gathering information on cybersecurity practices and incidents in the banking sector.  Then-Superintendent Benjamin Lawsky made a number of high-profile public announcements about the importance of cybersecurity in 2014, emphasizing the degree to which the issue had become a DFS priority.  Also in 2014, DFS prepared a report on cybersecurity practices in the financial services industry designed in part to enable regulated entities to benchmark their cybersecurity programs against industry standards.[2]

The proposed regulations place a premium on oversight by regulated entities’ most senior leaders.  No longer is cybersecurity to be strictly an IT function: the proposed regulations state that “[s]enior management must take this issue seriously and be responsible for the organization’s cybersecurity program and file an annual certification confirming compliance with these regulations.”  The cybersecurity policies required by the regulations must be reviewed by an entity’s Board of Directors or equivalent body, and approved by a senior officer.

The proposed regulations are extremely detailed in their prescription of what constitutes an acceptable cybersecurity program, and dictate that every such program must include, among other things:

  • Annual penetration testing and vulnerability assessments;
  • Maintenance of an audit trail system to reconstruct transactions and log access privileges;
  • Limitations and periodic reviews of access privileges;
  • Written application security procedures, guidelines and standards that are reviewed and updated by the Chief Information Security Officer (“CISO”) at least annually;
  • Biannual (or more frequent) reports from the CISO to the Board of Directors, or an equivalent body, addressing six specified issues;
  • Annual risk assessments of the confidentiality, integrity, and availability of information systems; adequacy of controls; and how identified risks will be mitigated or accepted;
  • Employment and training of cybersecurity personnel to stay abreast of changing threats and countermeasures;
  • The use of multi-factor authentication for certain users and use cases, including users with privileged access and use cases that include remote access;
  • Data minimization in the form of timely destruction of unneeded nonpublic information, except where retention is required by law or regulation;
  • Monitoring of authorized users and cybersecurity awareness training for personnel;
  • Encryption of all nonpublic information held or transmitted by regulated entities; and
  • Development and maintenance of a written incident response plan to respond to, and recover from, cybersecurity incidents.

Importantly, the proposed regulations require regulated entities to report to DFS within 72 hours any attempt, successful or not, to gain unauthorized access to, disrupt, or misuse the entity’s computer systems that has a reasonable likelihood of materially affecting the normal operation of the entity or that affects nonpublic information.  Unless modified during the public comment process, this provision will require regulated entities to report a wide range of attempted intrusions to DFS–a regulator that previously has not appeared on the list of government bodies to which regulated entities must make post-cyber incident reports.

Moreover, the regulations would apply broadly to any companies or individuals “required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the banking law, the insurance law or the financial services law.”  This expansive definition sweeps within its ambit not just traditional players in the industry.  Companies with fewer than 1,000 customers in each of the last three calendar years, less than $5 million in gross revenue in each of the last three fiscal years, and less than $10 million in year-end assets are excused from some portions, but not all, of the proposed regulation.

While many of the proposed rules exist in the form of guidance from the Federal Financial Institutions Examination Council, New York would be the first state to codify such guidance into mandatory regulations.  The mandatory nature of the proposed regulations raises the possibility of enforcement action by DFS for noncompliance.  Investigations leading to such enforcement actions may begin as a follow-up to DFS’s annual reviews of regulated entities.  Even for companies that already have cybersecurity policies in place, the combination of the detailed, prescriptive nature of the proposed regulations with the potential for enforcement actions for noncompliance makes clear the need to evaluate existing policies against the proposed regulations.

   [1]   A copy of the proposed regulations may be found on DFS’s website at

   [2]   See Gibson Dunn Client Alert, New York and Federal Regulators Increasingly Focus Attention on Cybersecurity in the Financial Sector (Oct. 27, 2014), available at


The following Gibson Dunn lawyers assisted in the preparation of this client alert:  Alexander Southwell, Ryan Bergsieker, Eric Vandevelde and Melissa Goldstein.

Gibson Dunn’s lawyers are available to assist with any questions you may have regarding these developments.  For further information about these issues or any global privacy or cybersecurity issue, please contact the Gibson Dunn lawyer with whom you usually work, the authors, or the following members of the firm’s Privacy, Cybersecurity and Consumer Protection Group:


Alexander H. Southwell – Chair, New York (+1 212-351-3981, [email protected])
M. Sean Royall – Dallas (+1 214-698-3256, [email protected])
Debra Wong Yang – Los Angeles (+1 213-229-7472, [email protected])
Howard S. Hogan – Washington, D.C. (+1 202-887-3640, [email protected])
Shaalu Mehra – Palo Alto (+1 650-849-5282, [email protected])
Karl G. Nelson – Dallas (+1 214-698-3203, [email protected])
Joshua A. Jessen – Orange County/Palo Alto (+1 949-451-4114/+1 650-849-5375, [email protected])
Michael Li-Ming Wong – San Francisco/Palo Alto (+1 415-393-8333/+1 650-849-5393, [email protected])
Ryan T. Bergsieker – Denver (+1 303-298-5774, [email protected])
Richard H. Cunningham – Denver (+1 303-298-5752, [email protected])
Eric D. Vandevelde – Los Angeles (+1 213-229-7186, [email protected])

© 2016 Gibson, Dunn & Crutcher LLP

Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.