PROVIDENCE, R.I.—With the Consumer Financial Protection Bureau and Federal Trade Commission pulling back on rulemaking and enforcement, states are stepping in with more stringent cybersecurity mandates for financial institutions—many of them mirroring the framework established by the New York Department of Financial Services (NYDFS).
Rhode Island became the latest to act, enacting a new cybersecurity law on July 2. The law takes effect immediately, Cooley reported.
Cooley explained that the NYDFS has long maintained one of the nation’s most prescriptive cybersecurity frameworks through its 23 NYCRR Part 500 Cybersecurity Rules (Part 500). Part 500 imposes technical and administrative cybersecurity requirements on covered entities, which include banks, lenders, insurers, cryptocurrency companies and other financial services providers.
NYDFS amended Part 500 in late 2023, with many of the additional enhanced cybersecurity controls taking effect in May 2025. Those updates to Part 500 include obligations to conduct automated vulnerability scans, maintain stricter access controls, and implement endpoint detection and response tools, Cooley explained.
The Rhode Island Legislature passed Rhode Island Senate Bill 603 in June 2025, and the governor signed the law on July 2, 2025.
Senate Bill 603 closely mirrors the New York Department of Financial Services’ Part 500 regulations, requiring nonbank financial institutions licensed by Rhode Island’s Department of Business Regulation to adopt comprehensive cybersecurity measures. These include developing a written information security program and incident response plan, conducting risk assessments, and implementing administrative and technical safeguards such as multifactor authentication, access controls, and encryption of data both at rest and in transit. Institutions are also required to carry out annual penetration testing and semiannual vulnerability scans, Cooley said.
Senate Bill 603 also imposes an express timeline for breach notifications similar to NYDFS’ Part 500, with one key change. Financial institutions must notify the director of the Department of Business Regulation within three business days of determining a security event has occurred, whereas NYDFS requires notice within 72 hours (regardless of whether the notice period includes nonbusiness days), Cooley explained.
“Given the prevalence of cybersecurity events on weekends and holidays, Rhode Island’s law provides financial institutions some welcome leeway relative to the NYDFS requirement,” Cooley added.