Eight years ago, on March 1, 2017, the New York Department of Financial Services enacted its landmark cybersecurity regulation covering financial services companies, 23 NYCRR Part 500, known as “Part 500.” Part 500 was the first state regulation to enumerate, in great detail, the elements of a cybersecurity program that a covered financial service company in New York is required to implement. Since that time, the focus of state cybersecurity legislation has been directed largely at insurance companies, with twenty-six states passing some version of a model Insurance Data Security Act. Now, given the increase and sophistication of cybersecurity threats to the financial industry, a handful of states are poised to follow New York’s lead and impose data security requirements on financial service companies that are not otherwise covered by the Gramm-Leach-Bliley Act (“GLBA”), 15 U.S.C. § 6801 et seq.
On April 11, 2025, the governor of North Dakota signed House Bill No. 1127, which requires financial corporations regulated by the state’s Department of Financial Institutions to maintain a comprehensive information security program. Covered entities include trust companies, mortgage lenders, consumer lenders, money transmitters, delayed deposit services, and cryptocurrency kiosks and ATMs. The law tracks the required program elements and safeguards that federally-regulated financial institutions must implement under the Federal Trade Commission’s Safeguards Rule (26 C.F.R. § 314.4), which include conducting a risk assessment; having a qualified person oversee the program; implementing access management controls, encryption, and multi-factor authentication; conducting testing and monitoring of controls; establishing a written incident response plan; overseeing vendors; and conducting employee training. The North Dakota law also requires covered financial corporations to notify the Department of Financial Institutions of a notification event.
Similar bills were recently introduced in Florida (Senate Bill 1216), Nevada (Senate Bill 44), and Rhode Island (Senate Bill 603 | House Bill 5415) that also would cover non-GLBA regulated financial service businesses. Like the North Dakota law, these bills mirror the FTC’s Safeguards Rule’s required elements for a cybersecurity program. One key difference is that the Rhode Island bill requires notification to the state within three business days of a notification event if any Rhode Island consumer is impacted. The Florida, Nevada, and North Dakota bills generally follow the FTC’s Safeguards Rule that requires regulator notice within 30 days (Nevada) or 45 days (North Dakota) and only if 500 or more consumers are impacted.[1]
This recent focus of state legislation on the financial services industry may demonstrate a trend that states are moving to fill a gap in cybersecurity regulation over non-GLBA covered financial entities. These financial entities tend to be smaller and have less mature cybersecurity programs than larger banks and financial institutions, but they collect and hold much of the same type of consumer personal information, making them prime targets for threat actors.
[1] Florida Senate Bill 1216 requires notice “at a time and in the manner prescribed by commission rule.”
[View source.]
