On February 16th, 2017, the New York Department of Financial Services (NYDFS) released the NYDFS Cybersecurity Regulation (23 NYCRR 500). This regulation lays out a new set of cybersecurity requirements for all covered financial institutions. With this enactment, NY became the first state to implement comprehensive cybersecurity regulations. Our hope is that other states will follow suit and look to layout a framework to help protect sensitive data for all consumers.
Who is required to comply with the NYDFS Cybersecurity Regulation?
Currently, there is a prescribed list of businesses that must comply with the regulation:
- State-chartered banks
- Trust companies
- Licensed lenders
- Service contract providers
- Private bankers
- Mortgage companies
- Insurance companies doing business in New York
- Non-U.S. banks licensed to operate in New York
Business are exempt if:
- They have fewer than 10 employees,
- They have less than $5 million in gross annual revenue for three years, or
- They have less than $10 million in year-end total assets
What are the key highlights of the regulation?
The following are they key sections of the regulations. More details are available on the NYDFS publication:
- Each Covered Entity must have a cybersecurity program
- Each Covered Entity must implement and maintain written policies
- information security;
- data governance and classification;
- asset inventory and device management;
- access controls and identity management;
- business continuity and disaster recovery planning and resources;
- systems operations and availability concerns;
- systems and network security;
- systems and network monitoring;
- systems and application development and quality assurance;
- physical security and environmental controls;
- customer data privacy;
- vendor and Third Party Service Provider management;
- risk assessment; and
- incident response.
- Must have a CISO
- Annual penetration test and bi-annual vulnerability assessments (What is the difference?)
- Maintain systems that have audit trail capabilities
- Limit access privileges
- Application security
- Conduct periodic risk assessments
- Utilize qualified cybersecurity personnel
- Maintain third party service provider security policies
- Leverage multi-factor authentication
- Limitations on data retention
- Encryption of nonpublic information
- Maintain an incident response plan
- Notify the Superintendent if a cybersecurity event occurs
What should my business do next?
The official go live occurred on March 1, 2017. Certain Covered Entities were required to be in compliance with certain parts of the regulation as soon as August 28, 2017, and must have filed their first Certification of Compliance with the NYDFS superintendent’s office by February 15, 2018. If you are not compliant today, the first step is determining if you are required to be and then taking action as soon as possible. September 3rd, 2018 is the next key date which is when the 18-month transitional period ends and finally on March 1, 2019, the 2 year transitional period ends and all covered entities must be compliant. Frequently asked questions and key dates can be found here.
Overall, this appears to be a step in the right direction for New York and for the country as a whole. By implementing relatively strict guidelines that help consumers, we see this acting as a precursor to the expansion to other entities, as well as other states that will look to mimic or implement similar requirements. While this still does not remove the threat of a breach, it can help mitigate certain risks and ensure that companies are alerting authorities if and when a breach occurs. Stay tuned for any updates as to how this requirement will be enforced or if other states will begin adopting something similar. Let us know if you’d like to discuss further.