New York Proposes Cybersecurity Rule Update

Consequently, New York’s proposed update could affect data security rules for financial services companies and professionals all over the country.

The Proposal

Regulators have called for New York state to:

• Apply the new regulations to insurance organizations, state-regulated banks, other state-regulated lenders, and other individuals and entities that come under the state’s Financial Services Law.
• Establish a new group of “class A” financial services companies, or companies with more than $20 million in gross annual New York state revenue and either a minimum of 2,000 employees or $1 billion in total gross annual revenue.
• Require that a class A company conduct an independent audit of its cybersecurity programs at least once per year and make users choose hard-to-guess passwords.
• Increase the small-firm exemption cutoffs for some provisions to 20 employees and $15 million in assets, from the current threshold of 15 employees and $10 million in assets.
• Require a covered entity to tell New York regulators about any “deployment of ransomware within a material part of a covered entity’s information systems,” and to explain the reasons for any payments made to ransomware senders.
• Exempt individual insurance brokers who have been out of the insurance and annuity business for at least one year, and who do not own, access or possess nonpublic personal information, from the requirements.

A Broad Reach

Adrienne Harris, the New York state financial services superintendent, noted in a comment that parts of the proposed rule would, and should, apply to all companies her department oversees.

“Cyber criminals go after all types of companies,” Harris said.

Photo: Adrienne Harris (Photo: New York State Department of Financial Services)