Skip to Main Content
Services Talent Knowledge
Site Search
Menu

Alert

Our attorneys stay on top of changes in legislation, agency regulations, case law, and industry trends—then craft timely legal alerts to keep clients up to date on legal developments important to their business.

March 16, 2017

New Cybersecurity Regulations May Apply to Companies that do Business with NYS Chartered Or Licensed Banks, Mortgage Bankers, Insurance Companies and Others

As we reported on March 6, 2017, the NYS Department of Financial Services (DFS) issued detailed new Cybersecurity regulations for certain "Covered Entities" (defined below) that operate under DFS jurisdiction, including certain banks, insurance companies, and other "financial services" providers. However, the new regulations will reach beyond just these covered entities because they also contain requirements that will impact those businesses that work with the Covered Entities and have access to private information about Covered Entities' borrowers, customers, or other persons.

For example, these regulations may apply to a wide range of businesses that provide services to, or receive/process confidential customer data from, banks, insurance companies, charitable foundations, mortgage bankers, and insurance brokers. The list of potentially affected "third party service providers" could include law firms, accounting firms, IT service providers, federally chartered institutions providing correspondent banking services, non-NY licensed loan servicers and non-NY licensed persons and companies providing services to insurance companies or brokers, and, in certain circumstances, could possibly extend to manufacturing businesses, staffing agencies, and even construction companies.

Third party providers that fall within the scope of the regulations may be required to implement policies and procedures relating to how various computer systems are accessed (including possibly requiring the use of Multi-Factor Authentication), how data is stored or transferred between systems (including requirements for the use of encryption technology), and what they must do in the event of a data breach (including specific notice requirements and other obligations).

As noted above, the regulations apply directly to any "Covered Entity," which is defined in the regulations as "any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law." This is a very broad definition that itself poses some difficulty. As also noted above, it will certainly include various banks and insurance companies, but may also include entities that you may not readily identify as "financial services" companies, such as certain charitable foundations and holding companies.

Because DFS does not have jurisdiction over the third party service providers, the regulations require the Covered Entities themselves to impose requirements on third party service providers. Among other potential requirements, the Third Party Service Providers will be required to: (1) have policies and procedures relating to access controls (including the use of Multi-Factor Authentication) with regard to third party access to the Covered Entity's information systems; (2) have policies and procedures for use of encryption of the Covered Entity's private data; (3) follow specific notice requirements and other procedures in the event of a cybersecurity breach event involving a Covered Entity's private data; and (4) provide representations and warranties to the Covered Entity affirming that the Third Party has the policies, procedures, and practices in place to ensure the security of the Covered Entity's private data.

There are various deadlines that the Covered Entities are required to meet in terms of complying with the various aspects of the regulations. With regard to third party providers, Covered Entities have until March 1, 2019 to ensure that all of their third party service providers comply with the applicable requirements.

These new regulations are likely to affect the cost of providing services to Covered Entities, and could impact the manner in which third parties are providing their services to Covered Entities. We recommend that any businesses that provide services to a potential "Covered Entity" assess those relationships to determine if they might fall within the scope of the regulations as a "third party service provider" and, if you are a third party service provider, review you agreements with Covered Entities and assess your existing policies, procedures, and practices in relation to cybersecurity, including system access and encryption, to determine the impact of compliance and steps to be taken to comply with the new requirements.

Featured Media

Alerts

The New York FY 2025 Budget – CDPAP FIs Under Threat

Alerts

Website Accessibility Lawsuits: Several "Tester" Plaintiffs—Anderson, Beauchamp, Murray, Angeles, Monegro, and Bullock—Targeting Businesses in Recent Flurry of Lawsuits

Alerts

Updated Bulletin on Tracking Technologies in the Health Care Industry

Alerts

NYS Board of Regents Adopts Regulations on the Mental Health Diagnostic Privilege

Alerts

First Department Clarifies Pleading Requirements Under NYS Child Victims Act

Alerts

Beneficial Ownership Reporting Requirements Under the CTA: Quarterly Reminder

We're Growing in DC!

We’re excited to announce Barclay Damon’s combination with Washington DC–based Shapiro, Lifschitz & Schram. SLS’s 10 lawyers, three paralegals, and four administrative staff will join Barclay Damon while maintaining their current office in DC’s central business district. Our clients will benefit from SLS’s corporate, real estate, finance, and construction litigation experience and national energy-industry profile, and their clients from our full range of services.

Read More

This site uses cookies to give you the best experience possible on our site and in some cases direct advertisements to you based upon your use of our site.

By clicking [I agree], you are agreeing to our use of cookies. For information on what cookies we use and how to manage our use of cookies, please visit our Privacy Statement.

I AgreeOpt-Out