New York finalizes cybersecurity regulations for financial institutions

Purpose To analyze the cybersecurity regulations for financial institutions issued by the New York State Department of Financial Services on February 16, 2017. Design/methodology/approach This article summarizes the regulations’ scope and requirements including definition of Covered Entities and substantive requirements including periodic Risk Assessments, cyber policies, dedicated and trained personnel, testing, audit trails, control over Third Party Service Providers, authentication, secure disposal, encryption, and incident reporting. Findings The regulations go beyond federal requirements in a number of important respects. Originality/value This article provides a guide for regulated entities to start preparing for compliance with the new regulations from experienced lawyers with specialties in cybersecurity, privacy and communications.