New York Department of Financial Services Issues Proposed Cybersecurity Regulations: Regulated Institutions to be Required to Establish Cybersecurity Program and Policies, Appoint CISO, and Certify Compliance

Sullivan & Cromwell LLP - September 19, 2016

On September 13, 2016, the New York State Department of Financial Services (the “DFS”) issued proposed regulations requiring banks, insurance companies, and other financial services institutions regulated by the DFS (“Regulated Institutions”) to establish and maintain a cybersecurity program designed to ensure the confidentiality, integrity, and availability of the Regulated Institution’s information systems (the “Proposed Regulations”).  The Proposed Regulations would also require Regulated Institutions to implement and maintain a written cybersecurity policy setting forth policies and procedures for the protection of their information systems and the nonpublic information stored therein.  Starting January 15, 2018 and annually thereafter, Regulated Institutions would be required to submit a certificate, of the Board chairperson or a senior officer, to the DFS attesting compliance with the Proposed Regulations.