Final Implementation Deadline Approaching for New York’s Cybersecurity Regulation
The final implementation period for the New York Department of Financial Services’ (DFS) cybersecurity regulation covering DFS-regulated entities and licensed individuals ends March 1, 2019.
New York’s first-in-the-nation cybersecurity regulation became effective March 1, 2017, and DFS implemented a two-year timeline for implementation of the regulation’s requirements.
The final step in the implementation timeline requires regulated entities that use third-party providers to put in place policies and procedures ensuring the security of information systems and nonpublic information accessible to, or held by, these providers.
Additionally, the second certification of compliance covering the prior calendar year must be filed electronically via the DFS cybersecurity portal on or before February 15, 2019.
“Two years ago, DFS took steps to address the significant issue of cybersecurity, issuing a first-in-the-nation regulation protecting the financial services industry and consumers from the ever-increasing threat of data breaches and cyber attacks,” said DFS Superintendent Maria T. Vullo in a DFS press release. “With the deadline for final implementation nearing, all DFS-regulated institutions should now have in place a comprehensive risk-based cybersecurity program and adequate controls to protect their information systems, with senior-level attention to these protections.”
Vullo announced in December she is stepping down after three years with DFS, effective February 1. New York Governor Andrew Cuomo has nominated his chief of staff and counselor Linda Lacewell as DFS superintendent to replace Vullo. The appointment requires the state senate’s approval.
“This regulation, which demonstrates the importance of strong state regulation and has set a national model, will provide much-needed protections for the financial services industry and consumers well into the future,” Vullo added in the release.
Under the cybersecurity regulation, all banks, insurance companies and other financial services institutions and licensees regulated by DFS are now required to have a cybersecurity program in place that is designed to protect consumers’ private data, a written policy or policies that are approved by the board or a senior officer, a chief information security officer to help protect data and systems, protections of data at third-party providers, and controls and plans in place to help ensure the safety and soundness of New York’s financial services industry.
Covered entities and licensees must also report cybersecurity events to DFS through the department’s online cybersecurity portal.
Source: New York Department of Financial Services