Close Close
Adrienne Harris (Photo: New York State Department of Financial Services)

Life Health > Running Your Business > Certification

New York Proposes Cybersecurity Rule Update

Your article was successfully shared with the contacts you provided.

The New York State Department of Financial Services wants to loosen data security requirements for some individuals and small firms and tighten the requirements for big companies.

The department put the size-based changes in a proposed amendment to financial services company cybersecurity requirements regulations that were adopted in 2017.

Comments are due by Jan. 9, 2023.

What It Means

Federal financial regulators have modeled their cybersecurity requirements on New York’s 2017 regulations.

Consequently, New York’s proposed update could affect data security rules for financial services companies and professionals all over the country.

The Proposal

Regulators have called for New York state to:

  • Apply the new regulations to insurance organizations, state-regulated banks, other state-regulated lenders, and other individuals and entities that come under the state’s Financial Services Law.
  • Establish a new group of “class A” financial services companies, or companies with more than $20 million in gross annual New York state revenue and either a minimum of 2,000 employees or $1 billion in total gross annual revenue.
  • Require that a class A company conduct an independent audit of its cybersecurity programs at least once per year and make users choose hard-to-guess passwords.
  • Increase the small-firm exemption cutoffs for some provisions to 20 employees and $15 million in assets, from the current threshold of 15 employees and $10 million in assets.
  • Require a covered entity to tell New York regulators about any “deployment of ransomware within a material part of a covered entity’s information systems,” and to explain the reasons for any payments made to ransomware senders.
  • Exempt individual insurance brokers who have been out of the insurance and annuity business for at least one year, and who do not own, access or possess nonpublic personal information, from the requirements.

A Broad Reach

Adrienne Harris, the New York state financial services superintendent, noted in a comment that parts of the proposed rule would, and should, apply to all companies her department oversees.

“Cyber criminals go after all types of companies,” Harris said.

Photo: Adrienne Harris (Photo: New York State Department of Financial Services)


© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.