Why New York's New Cybersecurity Law Concerns Canadians
As of March 1, 2017, banks, asset management, insurance companies and insurance services brokers operating in New York State are covered entities under 23 NYCRR Part 500, a complex and highly prescriptive new cybersecurity regulation that may affect Canadian financial services firms as well. The effect is to transition information security from a technical responsibility of the IT department to a governance obligation of senior management and the board. Because this regulation provided the basis for the new NAIC Model Law, other US states may adopt similar cyber regulations that may also affect Canadian companies in those jurisdictions.
Rick Borden, Chief Privacy Officer and partner in the Cyber Law and Data Protection Group, joins a panel that will describe the nuances of this regulation and “unpack” the complexities of optimal compliance.
Key Take Aways:
- How senior management should define non-public information and what partners constitute third-party information service providers are key to success
- How to build “accelerators” in predecessor steps that render successor steps easier to accomplish across the initial three implementation and certification deadlines
- An understanding of the optimal order in which each provision of Part 500 should be addressed based on the rather oblique construction of the regulation and the complex inter-dependencies among each regulation section