Blog: Cybersecurity Enforcement Activity From NYDFS Fashions Regulatory Expectations and Suggests More Enforcement Is To Come | New York Law Journal –

cybersecurityA stream of cybersecurity enforcement actions have now begun to flow from the New York State Department of Financial Services (DFS), including pursuant to its cybersecurity regulation known as “Part 500.” See 23 N.Y.C.R.R. §500 et al. Regulated entities and cybersecurity practitioners should take note as the agency fashions regulatory expectations and signals that more enforcement is on the way.

First issued in March 2017, Part 500 contains a two-year implementation period intended to permit regulated entities to design and implement the required “robust” cybersecurity program. DFS took a patient regulatory approach during the interim period, encouraging firms to enact an adequate cybersecurity program and cheerleading for cybersecurity generally. See Matthew L. Levine, “Anticipating the First Cybersecurity Action from NYDFS,” New York Law Journal (Jan. 6, 2020).

The regulation went fully into effect in March 2019. In July 2020 this grace period came to a jarring but not unexpected halt, when DFS commenced its first cybersecurity enforcement action under Part 500. The agency has now made clear to regulated industry that Part 500’s “clearly defined standards for cooperative industry compliance, robust consumer data protection, vital cybersecurity controls, [and] timely reporting of Cybersecurity Events” are ripe for continued enforcement.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s