On September 13, 2016, the New York State Department of Financial Services (NYDFS) proposed cybersecurity rules that, if finalized in their current form, would create one of the most comprehensive, detailed and onerous cybersecurity standards in the country. While the proposed rules would apply only to financial institutions subject to the NYDFS’s authority under New York law, this proposal is important for all companies. It highlights a trend that legislatures and regulators are revisiting decades-old approaches to cybersecurity and considering alternatives that would shift from a risk-based paradigm to a prescriptive approach. The NYDFS in particular has made great efforts to “spark additional dialogue, collaboration and, ultimately, regulatory convergence among” federal and state financial regulators on comprehensive cybersecurity standards for all financial institutions. In light of the significant role that New York plays in this country’s financial markets and NYDFS’s role as regulator for many financial institutions based in New York, this proposal comes with a level of credibility that could influence the broader, national dialogue and consideration of what cybersecurity standards are appropriate, even if NYDFS does not have unique expertise with respect to cybersecurity. If it does, consideration and monitoring of this proposal is important for all companies.
Read our client alert.