Third Compliance Date Approaching for New York Cybersecurity Regulation

August 9, 2018

The third transitional period for New York’s first-in-the-nation cybersecurity regulation for all Department of Financial Services (DFS) regulated entities ends on September 4, 2018.

Beginning on September 4, banks, insurance companies and other financial services institutions regulated by DFS are required to have come into compliance with several additional provisions of the cybersecurity regulation that are vital to the governance and components of a robust financial services cybersecurity program.

“New York stepped into the void and took decisive action to ensure appropriate minimum standards protecting financial institutions’ data systems, including consumers’ sensitive personal information,” said DFS Superintendent Maria T. Vullo in a press release issued by DFS. “These new protections, which include encryption, access controls and audit trails, add crucial tools to the regulation’s prior requirements in protecting the institutions and consumers.”

Following the third compliance date, companies will be required to have commenced mandatory annual reporting to the board by the chief information security officer concerning critical aspects of the cybersecurity program, have an audit trail designed to reconstruct material financial transactions sufficient to support normal operations in the event of a breach and will need to have policies and procedures in place to ensure the use of secure development practices for IT personnel that develop applications for the covered entity.

Companies also must implement encryption to protect nonpublic information held or transmitted by the company. Entities are also required to have developed policies and procedures to ensure secure disposal of information that is no longer necessary for the business operations and must have implemented a monitoring system that includes risk-based monitoring of all persons who access or use any of the company’s information systems or who access or use the company’s nonpublic information.

DFS also has reminded regulated entities that under DFS’s regulation, if they utilize third-party service providers, they must evaluate the risk that any third-party service providers pose to the security of those systems and data and ensure those systems and data are protected by March 1, 2019.

Source: New York Department of Financial Services

Related: