In January 2017, the New York Department of Financial Services adopted a rule requiring covered entities to adopt a comprehensive cybersecurity program.  In particular, the cybersecurity program must:

• identify internal and external risks to nonpublic Information (NPI);
• use defensive infrastructure, policies, and procedures, to protect Information Systems;
• detect cybersecurity events;
• respond to, mitigate the effects of, and recover from cybersecurity events; and
• fulfill all reporting obligations.¹

Other requirements of the rules include:

• All covered entities must also implement written policies and procedures concerning risk assessment and conduct risk assessments of their Information Systems periodically, and must implement a written incident response plan to respond to and recover from any cybersecurity event that affects the covered entity’s Information Systems or business.²
• All covered entities also must implement written policies and procedures concerning Third-Party Service Providers.³
• Covered entities must designate a qualified individual to oversee and implement the covered entity’s cybersecurity program and enforce its cybersecurity policy, serving as chief information security officer (CISO) or in a comparable position.⁴

The rules also include a number of technical, reporting, and recordkeeping requirements of which covered entities must be aware.  In particular, the rules impose a 72-hour notification requirement for certain cybersecurity events that meet threshold triggers.⁵

Several states have also adopted the National Association of Insurance Commissioners (NAIC) data security model law, which was based on the NYDFS cybersecurity regulation.  To date, 13 states have adopted the NAIC model law, including: Alabama, Connecticut, Delaware, Indiana, Louisiana, Michigan, Mississippi, New Hampshire, Ohio, South Carolina, Virginia, North Dakota, and Maine.

¹ N.Y. Comp. Codes R. & Regs. tit. 23, § 500 (2017).