New York's New York's cybersecurity regulations became effective on March 1st , and these are the country's first state-mandated cybersecurity regulations regarding banking and financial services.
The regulation adapts industry best practices – such as guidelines issued by the Securities and Exchange Commission and Financial Industry Regulatory Authority (FINRA) – and contains 23 sections calling for such things as encryption of data of all non-public information, appointing a CISO, employee training in security, enhanced multifactor authentication and the yearly submission by a senior officer of a certification affirming that the company is in compliance with the regulation's requirements.
Key elements of New York State's cybersecurity regulation include:
- Establishment of a cybersecurity program
- Adoption of a written cybersecurity policy
- Mandatory chief information security officer
- Cybersecurity training for employees
- Third-party service providers risk
- Incident monitoring and reporting
- Information security audits
Under the new regulations, banks are now required to scrutinize their suppliers, and to report on breaches that affect them. It is still a question how much New York's new law is different than federal regulations. We truly believe these are the first steps that other states will be following too. Also add ABA Model Rules that lawyers have ethical and legal responsibility to protect their client's personal information, make all this so critically important that law firms implement policies and procedures. At least these are steps that help manage ethical obligations.