Rhode Island has enacted Senate Bill 603 (SB603), effective July 2, 2025, establishing a comprehensive cybersecurity framework for nonbank financial institutions licensed by the state’s Department of Business Regulation (DBR). Although SB603 is closely modeled after the New York Department of Financial Services’ (NYDFS) Cybersecurity Regulation, 23 NYCRR Part 500 (Part 500), SB603 introduces several notable deviations that may influence compliance strategies—particularly for institutions licensed in both jurisdictions.
Core Requirements
Under SB603, licensees must develop a written information security program and formal incident response plan, both based on a risk assessment tailored to the institution’s operations. Licensees are further required to (i) implement certain technical controls such as multifactor authentication, role-based access restrictions, threat detection, and encryption of data at rest and in transit; and (ii) conduct annual penetration testing and biannual vulnerability scans (in certain circumstances). Licensees are also required to provide an annual update on the institution’s information security program to the board of directors (or equivalent senior governing body), including material matters related to the information security program, such as risk assessment, risk management, service provider arrangements, security events, and recommendations for changes in the information security program.
Breach Notification Obligations
Rhode Island licensees must notify the DBR Director within three business days of determining that a reportable “security event” has occurred, which timing aligns with the NAIC insurance data security model laws adopted in over 25 states. The statute defines a security event broadly to include: “an event resulting in unauthorized access to, or disruption or misuse of, an information system or information stored on such information system, or customer information held in physical form[.]”
A security event becomes reportable to the DBR Director if:
- The event triggers reporting obligations under any state or federal law to a governmental or self-regulatory body; or
- The event is reasonably likely to materially harm a Rhode Island consumer or materially impact the licensee’s operations.
Notable Deviations from NYDFS Part 500
Notable Deviations from NYDFS Part 500
While modeled on Part 500, Rhode Island’s law introduces several material differences:
- Applicability: Rhode Island’s law applies exclusively to nonbank financial institutions licensed by DBR, whereas NYDFS Part 500 governs a broader range of entities, including banks, insurers, mortgage lenders, and cryptocurrency firms.
- Business-Day Notification Window: Unlike NYDFS’ 72-hour rule, Rhode Island allows for three business days, offering flexibility for incidents discovered over weekends or holidays.
- Breach Notification Triggers: Both Part 500 and SB603 require regulator notice when a security event poses a reasonable likelihood of materially disrupting normal operations. However, SB603 introduces a notable difference—it also requires notification if the security event is reasonably likely to materially harm a Rhode Island resident, adding a layer of consumer-centric protection that Part 500 does not expressly include. That said, Part 500 has its own unique notification requirements that SB603 does not contain, including (i) covered entities must notify the Department within 72 hours if ransomware is deployed in a material part of their system, and (ii) within 24 hours if an extortion payment is made in connection with a cybersecurity event.
- Prescriptive Breach Notification Content Requirements: Unlike Part 500, which does not contain specific prescriptive content requirements in its Cybersecurity Regulation, SB603 explicitly requires licensees to provide the DBR with specific information in the event of a security event, including for example, a description of the types of information involved in the notification event (which is defined to mean the unauthorized acquisition of unencrypted customer information), the date or date range of the notification event (if possible to determine), the total number of Rhode Island residents affected or potentially affected by the notification event (if an estimate, the licensee must update the DBR with each subsequent report), a description of “what happened,” remediation steps taken by the licensee, and whether law enforcement
- Encryption: Rhode Island adopts a more flexible stance, allowing compensating controls when encryption at rest or in transit is infeasible. In contrast, Part 500 only permits compensating controls if encryption at rest is infeasible—not for data in transit. Additionally, SB603 narrows the encryption requirement to “customer information,” defined as nonpublic personal information about consumers with whom the licensee has a relationship; Part 500, however, applies to all nonpublic information, including business-related information.
- Risk Assessment Criteria: Rhode Island requires written assessments with defined evaluation criteria and mitigation plans; NYDFS requires assessments yet does not specify format or frequency.
- Record Retention Rules: SB603 requires that customer information be securely disposed of within two years of its last use, unless exceptions apply. In contrast, NYDFS merely requires periodic disposal once data is no longer needed, without a specific timeframe.
SB603 reflects a growing trend toward more prescriptive, state-level regulation. While it aligns closely with Part 500, its unique provisions—such as the inclusion of physical records and disposal timelines—introduce new compliance considerations. Institutions operating in both jurisdictions should take proactive steps to harmonize their cybersecurity programs, ensuring they meet the most stringent requirements while maintaining operational flexibility.
