The Intersection of Financial Institutions and Technology Leaders

2024 Brings New Cyber-Related Legal Obligations for Banks and Fintech Firms

By Evan Yahng, Kurt Hunt

Fintech companies and their partners are on alert as a flurry of new state and federal cybersecurity requirements take effect. The New York Department of Financial Services (NYDFS) and the Federal Trade Commission (FTC) both recently finalized changes that will create additional compliance obligations, expand existing regulations to new entities and mandate that banks and fintech firms move quickly to update their cybersecurity policies and incident-response capabilities.

NYDFS enacted a series of changes to its existing cybersecurity rules that apply to any entity operating under a license, registration or other similar authorization under New York’s banking, insurance or financial services laws. These new obligations, along with their implementation dates, include:

December 1, 2023: New incident reporting rules that require covered entities to provide regulators with notice of payment within 24 hours of a ransomware or other extortion payment made in connection with a cybersecurity event as well as a written description of why payment was necessary, alternatives considered and efforts to find alternatives and comply with applicable rules and regulations within 30 days of payment.

• November 1, 2024: Chief information security officers must internally report material cybersecurity issues and annual plans for remediating material inadequacies as well as conduct yearly reviews of the effectiveness of compensating controls. Entities also must maintain written incident, business continuity and disaster recovery plans.

• May 1, 2025: Covered entities must implement various technical cybersecurity measures, including penetration testing, automated scans of information systems, limits on the use of privileged accounts, annual removal of unnecessary accounts and access, written password policies and more.

• November 1, 2025: Covered entities must enable multi-factor authentication for any individual accessing their information systems, unless qualified for an exemption.

The NYDFS amendments also expand the definition of a cybersecurity incident to include incidents that occur at affiliates or third-party service providers. Given the ever-increasing use of service providers and hosted solutions, this definition could dramatically expand the number of incidents that must be reported to the regulator.

Meanwhile, the FTC published an amendment to the Safeguards Rule, which takes effect in May of 2024. The Safeguards Rule broadly requires financial institutions — including financial advisors, payday lenders, mortgage brokers and lenders, collection agencies, motor vehicle dealers and more — to protect customers’ non-public information. The amendment will require those entities to report to the FTC when they discover that information affecting 500 or more people has been acquired without authorization. Key takeaways include:

• The FTC will consider customer information unencrypted if the encryption key was accessed by an unauthorized person and will presume that unauthorized access resulted in unauthorized acquisition unless the financial institution has reliable evidence to the contrary.

• Notice must be given within 30 days of the event being known to any employee, officer or other agent of the financial institution, other than the person committing the breach.

• Notices must include the reporting institution’s name and contact information, the types of information involved, the date the event took place, the number of affected consumers, a general description of the event and whether law enforcement has determined that notifying the public would endanger a criminal investigation or national security.

• The amendment will not require notifying the affected individuals.

• Companies should expect many of these obligations to flow down to service providers and other companies that work directly with financial institutions.

The new NYDFS and FTC regulations are not one-offs. They are part of a sustained push toward greater oversight of the financial services industry, even for entities that have traditionally been less regulated than banks or similar financial institutions. Given this momentum, companies need to work hard to stay ahead of the curve and not treat compliance as a check-the-box exercise.

Incident response policies should be updated and stress-tested through tabletop and similar exercises to ensure response teams can meet the tight deadlines and transparency that regulators demand. Financial entities should continually refine their vendor management programs, data mapping and similar internal practices to proactively manage risks before compliance issues arise. In today’s financial sector, keeping up means keeping ahead.

Evan is a commercial litigation attorney who focuses his practice on privacy law and other complex litigation. He has successfully helped clients win dismissal of lawsuits over violations of the right to privacy, HIPAA, and identity theft. Evan also has substantial experience helping clients manage data breaches, comply with Federal Trade Commission regulations, navigate defamation liability, respond to civil investigative demands regarding the False Claims Act, obtain high-value settlement terms, and handle many other complex legal matters.

Kurt focuses his practice on privacy, cybersecurity, data collection and usage, and technology issues. In that role, he advises clients on general corporate and administrative issues, regulatory compliance, and contract negotiations.