In line with a heightened focus by the private funds industry on cybersecurity, New York state has adopted the US’s first cybersecurity regulation to protect consumers and financial institutions, effective March 1.
The regulation, which requires banks, insurers and other financial services organizations regulated by the New York Department of Financial Services to have a cybersecurity program in place, was announced mid-February and came into effect starting this month.
“New York is the financial capital of the world, and it is critical that we do everything in our power to protect consumers and our financial system from the ever-increasing threat of cyber-attacks,” Governor Andrew Cuomo said in a DFS statement from February 16.
The new law requires firms doing business in New York to establish risk-based standards for technology systems, such as data protection through encryption, reporting on their cybersecurity programs and documenting certifications of regulatory compliance in this area to the DFS every year.
DFS initially published the proposed regulation in September, followed by a 45-day comment period, and announced an updated proposal in December, which was succeeded by a 30-day comment period. According to the February DFS statement, the final version incorporated appropriate suggestions from the comment periods and contains minimum regulatory standards as well as expectations of firms to stay updated on technology.
This state-wide implementation comes amid private equity industry’s increased awareness of potential cybersecurity risks. As reported in January by pfm, cybersecurity remains one of the top examination priorities in 2017, particularly for private fund advisors, for the Securities and Exchange Commission.
At the national level, the SEC has proposed rules requiring registered investment advisors to adopt and implement written business continuity and transition plans, as reported by pfm. The agency is focused on protecting customer data, and these rules would be implemented in the event of a cyber-attack.
If you do not receive this within five minutes, please try to sign in again. If the problem persists, please email: