New York Proposes Cybersecurity Rule Update
Requirements may ease for former insurance brokers but tighten for big companies.
The New York State Department of Financial Services wants to loosen data security requirements for some individuals and small firms and tighten the requirements for big companies.
The department put the size-based changes in a proposed amendment to financial services company cybersecurity requirements regulations that were adopted in 2017.
Comments are due by Jan. 9, 2023.
What It Means
Federal financial regulators have modeled their cybersecurity requirements on New York’s 2017 regulations.
Consequently, New York’s proposed update could affect data security rules for financial services companies and professionals all over the country.
The Proposal
Regulators have called for New York state to:
- Apply the new regulations to insurance organizations, state-regulated banks, other state-regulated lenders, and other individuals and entities that come under the state’s Financial Services Law.
- Establish a new group of “class A” financial services companies, or companies with more than $20 million in gross annual New York state revenue and either a minimum of 2,000 employees or $1 billion in total gross annual revenue.
- Require that a class A company conduct an independent audit of its cybersecurity programs at least once per year and make users choose hard-to-guess passwords.
- Increase the small-firm exemption cutoffs for some provisions to 20 employees and $15 million in assets, from the current threshold of 15 employees and $10 million in assets.
- Require a covered entity to tell New York regulators about any “deployment of ransomware within a material part of a covered entity’s information systems,” and to explain the reasons for any payments made to ransomware senders.
- Exempt individual insurance brokers who have been out of the insurance and annuity business for at least one year, and who do not own, access or possess nonpublic personal information, from the requirements.
A Broad Reach
Adrienne Harris, the New York state financial services superintendent, noted in a comment that parts of the proposed rule would, and should, apply to all companies her department oversees.
“Cyber criminals go after all types of companies,” Harris said.
Photo: Adrienne Harris (Photo: New York State Department of Financial Services)