Over the coming year, state financial regulators in New York are expected to ratchet up their enforcement of cybersecurity regulations as amendments to these rules take effect and examiners scrutinize the details of whether and how banks implement the rules.
Recent enforcement actions by the Department of Financial Services, or NYDFS, have signaled that banks operating in the state will need to pay close attention to what exactly they do to protect nonpublic information, according to Bess Hinson-Greenspan, a partner at law firm Holland & Knight who focuses on cybersecurity and privacy litigation. Hinson-Greenspan spoke about the outlook for state cyber enforcement actions during a Wednesday event put on by the law firm.
According to NYDFS regulations, nonpublic information includes consumers’ personal information such as Social Security numbers, but unlike some other regulatory definitions of similar terms, it also broadly covers any information that “would cause a material adverse impact to the business” in the case of a data breach.
Proper handling of nonpublic information played a role in a recent enforcement action by NYDFS against Genesis Global Trading, a cryptocurrency trading company that has since gone out of business. The case ended in an $8 million penalty over failures to comply with the state’s virtual currency and cybersecurity regulations, including failures to implement policies and procedures regarding the regular disposal of nonpublic information and failure to properly encrypt this information.
Relatedly,
The last of this set of amendments will also go into effect this year. In May 2025, policies pertaining to automated vulnerability scanning, controls against malicious code, and enhanced requirements to access controls — limitations to which employees and other users can take actions on a bank’s systems — will all take effect.
Finally, by November 2025, all banks operating in New York will need to implement multifactor authentication for every individual who can access the bank’s information systems. This means both bank employees and bank customers will need to use multifactor authentication. That month, banks will also need to have implemented written policies about IT system asset inventories.
Beyond the rules and regulations, the structure that the NYDFS superintendent Adrienne Harris has built around her department’s cybersecurity regulations and enforcement actions also suggest she is ready to act this year as the final amendments take effect. Harris said during a broadcast interview in December with American Banker that the department has a team of cybersecurity-specific examiners that supplement the business units on exams.
She also highlighted the $100 million in total fines her department has issued in response to cybersecurity regulation violations, adding that she was the first superintendent of the agency to impose such fines.
Harris also highlighted the importance of adequate cybersecurity risk governance for banks, a point she said the recent amendments emphasize.
“We really wanted to make sure our institutions were paying attention to the role of the executive suite, to the role of the board, how they should be thinking about CISOs, and making sure that expertise in those governance structures were in place,” Harris said.
On the opposite coast, banks operating in California will need to pay attention to potentially increased enforcement action by the California Privacy Protection Agency, or CPPA. Established in 2020, the agency is tasked with implementing the California Privacy Rights Act, or CPRA, and the California Consumer Privacy Act, or CCPA.
The CPPA has designated rigorous enforcement of the CCPA, passed in 2018, as a primary goal in its strategic plan for 2024 to 2027. As such, enforcement of the privacy law is expected to increase, according to Hinson-Greenspan.
Most state privacy laws create exemptions for companies covered by the Gramm-Leach-Bliley Act, a federal law that governs how banks and credit unions must handle and disclose their handling of consumer data. California instead exempts personal information covered by the Gramm-Leach-Bliley Act, meaning that banks that engage in nonfinancial activities — for example, using personal data for ad targeting — must comply with the state privacy law.
The most recent example of such an enforcement action was taken
According to Hinson-Greenspan, financial institutions are often the targets of class action lawsuits related to technologies used for digital marketing and surveillance. Potential lawsuits over technologies such as tracking pixels, which provide analytics to companies about who exactly is visiting their websites, will create precedents about whether and how California’s privacy laws govern their use, she said.
“Many financial institutions are leveraging digital technologies to reach customers,” Hinson-Greenspan said. “I am sure your business units or marketing teams are presenting such solutions to you on a daily, weekly, monthly basis, and they’re constantly evolving. We expect a continued push for certainty on whether the California Invasion of Privacy Act or CIPA applies to [technologies] such as tracking pixels, session replay software and chatbots.”