New York Cybersecurity Regulations Take Effect, Increasing Role for Corporate Boards

Banks and other large New York financial institutions became subject to the New York Department of Financial Services’ cybersecurity regulations as of August 28, 2017. According to Bloomberg, critics say the regulations lack clarity regarding compliance and enforcement standards. The regulations, among other things, require organizations to establish a cybersecurity program, implement written cybersecurity policies and procedures approved by a senior officer or the organization’s board (or a board committee), and designate a person to head the program who will report to the board. Industry participants are hoping that New York will issue guidance on enforcement in the future, Bloomberg reported. Meanwhile, the National Association of Insurance Commissioners recently approved the Insurance Data Security Model Law, which closely parallels New York’s cybersecurity regulation. In both the Model Law and the New York cybersecurity regulations, responsibility for an adequate cybersecurity program resides with the company’s board. Lawyers from law firm Clifford Chance estimate that the Model Law will likely be adopted in some form in most states, and thus signal a national approach to cybersecurity for the insurance industry. Some industry participants expect that D&O insurance policies may begin to include questions regarding compliance with the New York law, according to an Insurance Journal report. Meanwhile, SEC Chairman Jay Clayton at a recent event in New York said he would like to see better disclosure around cyber risk, the Wall Street Journal reported. Clayton said regulators and firms need to do more to educate investors about the threat of cybercrimes.