States Fill Federal Void Regulating Financial Institutions' Cybersecurity: Cooley
With federal agencies deemphasizing rulemaking and enforcement, “states are advancing more prescriptive cybersecurity standards for financial institutions, including many that align with the approach and standards set by the New York Department of Financial Services (NYDFS),” the Cooley law firm blogged Wednesday.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
Historically, the FTC and Consumer Financial Protection Bureau “have taken a more central role in taking enforcement actions against financial institutions for alleged insufficient cybersecurity practices,” noted Cooley. “However, as the CFPB and FTC have shifted their enforcement priorities in the new administration, a growing number of states have recently passed laws that impose new cybersecurity requirements for financial services providers, indicating a trend in state regulation that is only just beginning.”
Rhode Island enacted a cybersecurity law for financial institutions on July 2, and it’s now in effect, noted Cooley: In addition, a North Dakota law takes effect Aug. 1 and Nevada's becomes effective Jan. 1.
Rhode Island’s new law “closely tracks NYDFS’ Part 500 requirements, requiring nonbank financial institutions licensed by the state’s Department of Business Regulation to develop written information security programs and a written incident response plan, perform risk assessments, and implement technical and administrative controls, such as multifactor authentication, access restrictions, and encryption of data at rest and in transit,” Cooley said.
Like the New York regulation, Rhode Island’s law sets a three-day timeline for breach notifications. However, New York’s deadline is measured in calendar days, Rhode Island’s in business days, noted Cooley: “Given the prevalence of cybersecurity events on weekends and holidays, Rhode Island’s law provides financial institutions some welcome leeway relative to the NYDFS requirement.”