Not quite; but legal operations folks need to pay attention, particularly with respect to third-parties.
Two years ago, New York’s Department of Financial Services (DFS), which regulates companies in the financial services industry, promulgated regulations in an effort to establish minimum cybersecurity requirements for companies that do business in New York (see 23 NYCRR 500 or click here).
Last month marked the deadline for certain regulatory activities required under the new DFS rules. How many companies have complied is anyone’s guess, but it seems useful to remind legal operations personnel and their IT security folks of their compliance obligations.
Under the regulations, any DFS-regulated entity doing business in New York is required to establish an internal cybersecurity program to protect information assets under their control. Organizations with less than 10 employees or revenue below $5 million or year-end assets under $10 million are exempt from some of the more onerous requirements, but it appears that even these smaller entities have obligations to limit access to information, assess their risk, implement policies related to third-party data control, and their own data disposition. All regulated entities are also obligated to report a breach event regardless of size.
Basically, the DFS is forcing financial services companies to implement information governance policies. This is not necessarily a terrible thing because, as I’ve indicated time and again, knowing what information an organization has, how it’s created, accessed, and where it’s stored and secured just makes good business sense.
Still, a few things stand out about these new regulations that many organizations may not have considered.