Via FinOps Report: Cathy Mulrow-Peattie Discusses NYDFS Cybersecurity Regulation Implications for the Financial Services C-Suite

February 15, 2024

Cathy Mulrow-Peattie was recently featured in FinOps Report, discussing New York State's amended cybersecurity regulation and its implications for C-level executives, particularly financial services company management. The regulation requires CEOs, CISOs, and boards of directors to take a more active role in overseeing cybersecurity by imposing deadlines for certification of compliance and additional requirements for covered entities, Class A companies, and small businesses.

Under the amended regulation, material compliance now does not mean an absolute 100 percent compliance, but it does require that organizations subject to the NYDFS cybersecurity regulations take the appropriate action; it is a risk-based determination.

Mulrow-Peattie explained in the article that the "best interpretation is that whatever is wrong with the firm's cybersecurity program won't be enough to harm the covered firm in the event of a cybersecurity incident."

Covered firms are required to certify compliance with cybersecurity regulations for each of their affiliates separately. If an affiliate has a cybersecurity program that meets all relevant requirements, the covered firm can choose to adopt it either in full or in part. However, each covered entity remains responsible for its own compliance and annual certification.

What Deadlines Are Companies Facing Now?

The NYDFS has expanded the factors to be considered in evaluating risk beyond network hacking to reputational and customer risks.

Mulrow-Peattie added that  "[p]art of the CISO's risk assessment should be an understanding of the risks to an organization's reputation and customers if there are insufficient cyber controls and a subsequent incident occurs." Noting that cybersecurity is a team sport, she recommended that covered firms include their finance, marketing, compliance, and legal teams when conducting a risk assessment.

The NYDFS and the SEC cyber incident reporting and disclosure requirements have different purposes; one is focused on cybersecurity compliance, and the other is focused on the disclosure of material information for investment decisions. "Regardless of the distinctions between the NYDFS and the SEC's rules, covered firms making any disclosures of cybersecurity events to both agencies should ensure that the information given to regulators is consistent," said Mulrow-Peattie.

Learn more about the updated NYDFS cybersecurity regulations in our recent Privacy, Cyber & AI Decoded alert.

"NY's New Cyber Law Shines Stronger Light on C-Level" was published by FinOps Report on February 11, 2024.

Hinshaw & Culbertson LLP is a U.S.-based law firm with offices nationwide. The firm's national reputation spans the insurance industry, the financial services sector, professional services, and other highly regulated industries. Hinshaw provides holistic legal solutions—from litigation and dispute resolution, and business advisory and transactional services, to regulatory compliance—for clients of all sizes. Visit www.hinshawlaw.com for more information and follow @Hinshaw on LinkedIn and X.