The New DFS Cybersecurity Regulation: What Every Attorney Should Know

Business technology has been exploding in recent years, and so has the cyber risk that comes with it. As these changes accelerate, the law has struggled to keep up.

On March 1, 2017, the first-of-its-kind mandatory state cybersecurity regulation took effect via the New York State Department of Financial Services (DFS). The Cybersecurity Requirements for Financial Services Companies (23 NYCRR § 500) creates mandatory risk management and security regulations for companies in banking, insurance and financial services and brings with it a series of security-related requirements (including reporting requirements beyond data breaches).

At first glance, the regulation may appear limited to the banks, insurance and financial services companies regulated by DFS, but its third party provisions tell a different story. 

What effect will the cybersecurity regulation have beyond the companies regulated by DFS? How does it alter the cyber law landscape? And for attorneys outside of New York, how might the regulation serve as a bellwether for changes nationwide?

Learning Objectives:

1. Identify who is covered by the cybersecurity regulation

2. Recognize who else can be affected

3. Comprehend the regulation’s core requirements (and benefits)

4. Appreciate potential downstream effects

5. Understand counsel’s role in compliance

6. Anticipate potential changes on the national scene augured by the DFS Regulation