The law, effective immediately, applies to nonbank financial institutions licensed by the state's Department of Business Regulation and signals a growing trend of states, especially Democratic-controlled states, advancing more prescriptive cybersecurity standards for financial institutions and their nonbank rivals.

Rhode Island passed the law as the Trump administration relaxed rulemaking and enforcement of federal agencies, including those that regulate cybersecurity at nonbank financial institutions, such as the Consumer Financial Protection Bureau and Federal Trade Commission.

The new law is another stitch in an increasingly diverse patchwork of state-specific cybersecurity rules, some highly similar to those of New York, others less so.

Key requirements for covered companies

Rhode Island Senate Bill 603 mandates several standard cybersecurity practices for covered entities, effectively mirroring those of the NYDFS cybersecurity regulation.

Information security program: Companies must "develop, implement, and maintain a comprehensive information security program" that includes "administrative, technical and physical safeguards."

This program must be appropriate for the institution's size, complexity, activities, use of third-party service providers and the sensitivity of customer information it handles, according to the law. The law also requires a qualified individual to oversee the program.

Risk assessments: Covered institutions must "perform a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information," according to the law. They must also "periodically perform additional risk assessments."

Technical controls: The law requires implementing "technical and administrative controls." These must include encryption, multifactor authentication and access controls.

Encryption: Companies must protect "all customer information held or transmitted both in transit over external networks and at rest." If encryption is infeasible, companies may use "effective alternative compensating controls."

Multifactor authentication: Companies must implement "multi-factor authentication for any individual accessing any information system" unless a qualified individual approves equivalent or more secure controls in writing.

Access controls: Companies must periodically review "access controls, including technical and as appropriate, physical controls" to authenticate authorized users and limit their access to only necessary customer information.

Regular testing: Companies must conduct "yearly penetration testing" and "twice-yearly vulnerability scans." They must also regularly test "the effectiveness of the safeguards' key controls, systems, and procedures."

Incident response plan: The law requires a "written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information."

Service provider oversight: Institutions must "take reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards" and write into contracts with service providers requirements to "implement and maintain such safeguards."

Annual reporting: A "qualified individual" must report in writing, at least annually, to the board of directors or a senior officer about the "overall status of the information security program and compliance" and "material matters related to the information security program."

Business continuity: Companies must "establish a written plan addressing business continuity and disaster recovery."

How Rhode Island's law differs from New York's

While the Rhode Island law closely mirrors NYDFS regulations, there are some key differences.

Breach notification timeline: Rhode Island's law gives covered financial institutions "some welcome leeway relative to the NYDFS requirement," according to an analysis by law firm Cooley.

It requires notification to the director of the Rhode Island Department of Business Regulation "within three business days of determining a security event has occurred." In contrast, NYDFS requires notice within 72 hours, regardless of whether the period includes nonbusiness days.

Notification triggers: While the exact definitions of what constitutes a security event differ between Rhode Island and New York, the biggest operational difference is what triggers a notification to the state about an event. If an event meets any of the following criteria, a business must report the incident to the Rhode Island Department of Business Regulation:

• It triggered an existing incident notification requirement, such as in another state or federal law.
• It "has a reasonable likelihood of materially harming any consumer residing in Rhode Island."
• It "materially impacts the normal operations of the company."

While New York's regulation shares the first criteria, "material harm" to consumers does not trigger a notification in New York. Rather, NYDFS requires notification if the event results in the deployment of ransomware.

Ambiguity with "notification event": The Rhode Island law also includes a definition for a notification event: the "acquisition of unencrypted customer information without the authorization of the individual to which the information pertains." 

However, the law ultimately uses "security event" as the trigger for notifying the regulator, "potentially causing confusion over which definition should prevail when assessing whether to notify the Department of Business Regulation," according to Cooley.

Data retention limits: Rhode Island Senate Bill 603 imposes specific data retention limits, requiring covered financial institutions to "destroy customer information in any format no later than two years after the last date the information is used in connection with the provision of a product or service to the customer," unless exceptions apply.

Exceptions include information necessary for business operations, required by other law or regulation, or where targeted disposal is not reasonably feasible.

No annual certification: Unlike NYDFS rules, Rhode Island's law does not require companies to annually certify compliance with the state regulator, according to Cooley.

Key differences from other state laws

The trend toward more granular and proactive state-level cybersecurity oversight at nonbank financial institutions is growing, according to Cooley.

For example, North Dakota's House Bill 1127, effective Aug. 1, requires notice within 45 days for security incidents affecting 500 or more consumers, a far cry from New York's 72-hour rule.

Nevada's Senate Bill 44, effective Jan. 1, 2026, ties licensed financial institutions to the FTC's Safeguards Rule and requires notification within 30 days for "notification events" impacting 500 or more customers.