New York financial companies may face their first fines under state cybersecurity rules following an April 15 compliance deadline, attorneys said.
The state Department of Financial Services’ April 15 deadline is a reminder to financial firms that they have the next three months to bolster their systems before it’s too late to avoid fines under the first-in-the-nation state cybersecurity rules, attorneys said.
There likely will be “a significant increase” in enforcement after the deadline, said Avi Gesser, a principal member of Davis Polk & Wardwell LLP’s cybersecurity practice, who represents companies and financial institutions. State enforcers are “staffing up” ahead of the deadline, he said.
The state agency “likely within months” of the deadline will take its first actions, said Joseph Moreno, a cybersecurity partner at Cadwalader, Wickersham & Taft LLP who represents companies on banking issues. The actions may include fines, license suspensions or directives to stop unsafe practices, he said.
The state financial services department declined to comment. The agency hasn’t disclosed the size of any fines it may issue.
As the world’s financial capital, New York is under constant threat from cybercriminals seeking a massive payday. The 2017 Equifax data breach, which exposed the data of 143 million Americans, highlights the risk.
The threats prompted the state financial services agency to issue cybersecurity rules in March 2017. Nearly three years later, the agency has yet to issue fines under the rules, though it did sign a consent order with Equifax in June 2018.
The enforcement lull is tied to the agency updating rules and allowing a transition period for company preparations, attorneys said. But the agency this year is primed to “make an example of those who commit technical violations,” having given banks the time to get into compliance, Moreno said.
The agency is “likely to have a particularly low tolerance going forward for covered entities that have been warned of the threat and nonetheless fail to put adequate safeguards and notification procedures into place,” he said.
Companies shouldn’t panic, but they “should take stock where they are,’' said Luke Dembosky, co-chair of Debevoise & Plimpton LLP’s cybersecurity and data privacy practice. “Stay on top of the program and be ready for any inquiries.”
Companies’ senior management and boards should reassess cybersecurity protections and compliance with the rules, Dembosky, who represents companies and financial institutions on privacy and cybersecurity issues, said.
Financial companies also should make sure they are aware of new cybersecurity threats, attorneys said. Recent alerts about Iranian hacking are a reminder to have adequate protections, they said.