From a Cooley alert:
As the Consumer Financial Protection Bureau (CFPB) and Federal Trade Commission (FTC) scale back rulemaking and enforcement, states are advancing more prescriptive cybersecurity standards for financial institutions, including many that align with the approach and standards set by the New York Department of Financial Services (NYDFS). On July 2, 2025, Rhode Island became the latest state to impose new robust cybersecurity requirements on financial institutions. The new Rhode Island law is effective immediately.
Rhode Island’s Senate Bill 603
The Rhode Island Legislature passed Rhode Island Senate Bill 603 in June 2025, and the governor signed the law on July 2, 2025.
Senate Bill 603 closely tracks NYDFS’ Part 500 requirements, requiring nonbank financial institutions licensed by the state’s Department of Business Regulation to develop written information security programs and a written incident response plan, perform risk assessments, and implement technical and administrative controls, such as multifactor authentication, access restrictions, and encryption of data at rest and in transit. Financial institutions also must conduct yearly penetration testing and twice-yearly vulnerability scans.
Senate Bill 603 also imposes an express timeline for breach notifications similar to NYDFS’ Part 500, with one key change. Financial institutions must notify the director of the Department of Business Regulation within three business days of determining a security event has occurred, whereas NYDFS requires notice within 72 hours (regardless of whether the notice period includes nonbusiness days). Given the prevalence of cybersecurity events on weekends and holidays, Rhode Island’s law provides financial institutions some welcome leeway relative to the NYDFS requirement.
Read more about Rhode Island’s law and how it differs from NYDFS Part 500 cybersecurity law at Cooley.com.