Just as it promised a year ago, New York State proposed new proscriptive, minimum cybersecurity requirements for regulated financial services institutions. The regulations go final after a 45-day notice and public comment period. At that point, entities regulated by the NYDFS will be subject to the nation’s first proscriptive set of cybersecurity requirements in contrast to the usual risk-based cybersecurity programs mandated by other financial regulators to date. Thus, unlike previous guidance and reports issued by financial regulators such as FINRA and the SEC, New York’s rules are specific requirements that all regulated financial institutions must adopt.. In this Part I, we review the proposed requirements, and offer some specific steps that regulated financial services institutions should begin to consider for compliance readiness.
In the wake of high-profile cyberattacks, boards of directors are increasingly being scrutinized by regulators, shareholders, and the public over their oversight of cybersecurity risk. In a chapter of “Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers” – a first-of-its kind publication by the New York Stock Exchange – we explore the legal obligations of boards of directors and board members to oversee cybersecurity risk, the potential exposure that boards face in the current cybersecurity landscape if they do not meet those obligations, and strategies that boards may consider in mitigating that risk to strengthen the corporation and their standing as dutiful directors.