New York this year became the first state to set minimum cybersecurity standards by which all banks, insurance companies and other financial services institutions regulated by the state’s Department of Financial Services must abide, says Paul Ferrillo, an attorney at New York law firm Weil, Gotshal & Manges.
Since Aug. 28, the “Cybersecurity Requirements for Financial Services Companies,” or 23 NYCRR Part 500 under New York state law, requires banks, insurance companies and other financial services institutions regulated by DFS to put in place a cybersecurity program, maintain written policies, report all “cybersecurity incidents” and ensure a CISO is in place, among other requirements (see Gauging the Impact of New York’s New Cyber Rules).
In the interview (see audio link below photo), Ferrillo also discusses:
- The new 72-hour breach notification requirement;
- Overlaps between the U.S. regulation and other state and federal laws, and the EU’s General Data Protection Regulation;
- Potential penalties any DFS cybersecurity regulation violators might face.
Ferrillo is counsel in Weil’s litigation department, where he focuses on complex securities and business litigation, and internal investigations. He also is part of Weil’s cybersecurity, data privacy and information management practice. Ferrillo has authored several books, including “Navigating the Cybersecurity Storm: A Guide for Directors and Officers.” He previously served as vice president and associate general counsel at insurance giant AIG.
DFS Cybersecurity Notification Requirements
Excerpt from New York’s “Cybersecurity Requirements for Financial Services Companies,” aka 23 NYCRR Part 500.