Securities Enforcement Defense Co-Chair and Partner Danette Edwards and Privacy, Data and Cybersecurity Partner and Co-Privacy Officer Trisha Sircar were quoted by FinOps Report on the New York Department of Financial Services’ (NYDFS) new requirements relating to cybersecurity. Effective December 1, 2023, the amended regulations emphasize the roles of C-suite executives, including Chief Information Security Officers (CISOs) and Chief Executive Officers (CEOs), as well as boards of directors, in helping to prevent cyberattacks and reporting cyber incidents to the NYDFS, which has provided a list of what constitutes an incident.
Danette noted that there are significant areas of non-overlap between the NYDFS and SEC rules, which can be tricky for company leaders to navigate. "When key regulatory regimes, such as the NYDFS and the Securities and Exchange Commission diverge, it can create challenges for companies that must adhere to both sets of requirements," she said.
As stated by FinOps Report, CEOs and CISOs of covered financial firms must, by April 15, "jointly certify that their firms have been in 'material' compliance with the NYDFS' new cybersecurity rules for the previous year." If they are unable to do so, they are then required to elaborate on the aspects of their cybersecurity program that are not compliant and how those deficiencies will be fixed. "Covered companies should do a gap analysis between the new requirements and their cybersecurity programs, along with a road map for closing any gaps, that is consistent with the timeline for implementing the new Part 500 requirements," Trisha explained. "The gap analysis will likely include a review and update of the appropriate budgets."
"NY's New Cyber Law Shines Stronger Light on C-Level" FinOps Report, February 11, 2024