As of today, Covered Entities are expected to be compliant with additional provisions under the New York State Department of Financial Services (NYDFS) cybersecurity regulation. A “Covered Entity” is any individual or non-governmental entity “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.” 23 NYCRR 500.01. The cybersecurity regulation became effective March 1, 2017, and Covered Entities had 180 days to become compliant, unless otherwise specified.
A year later, on March 1, 2018, Covered Entities were expected to be in compliance with requirements related to annual reporting by the Chief Information Security Officer (CISO) on the cybersecurity program and material cybersecurity risks, continuous monitoring or periodic penetration testing and vulnerability assessments, periodic risk assessments, multi-factor or risk-based authentication, and regular cybersecurity awareness training for all personnel.
Now, six months later, the eighteen month transitional period is over, and Covered Entities are also required to be in compliance with the requirements of sections 500.06, 500.08, 500.13, 500.14(a) and 500.15. Specifically, they must: (1) securely maintain systems designed to reconstruct material financial transactions sufficient to support normal operations and obligations, including audit trails designed to detect and respond to cybersecurity events that have a reasonable likelihood of materially harming any material part of normal operations; (2) have written procedures, guidelines and standards designed to ensure the use of secure development practices for in-house developed applications and procedures for evaluating, assessing or testing the security of externally developed applications; (3) have policies and procedures for periodic secure disposal of non-public information that is no longer necessary for business operations or for other legitimate business purposes; (4) implement risk-based policies, procedures and controls designed to monitor the activity of authorized users and detect unauthorized access or use of, or tampering with, non-public information; and (5) implement controls, including encryption (or otherwise effective alternative compensating controls approved by the CISO), to protect non-public information in transit over external networks and at rest.
NYDFS issued a reminder about the September 4 compliance deadline this August, which additionally gave notice of the next compliance deadline, March 1, 2019, when Covered Entities must implement written policies and procedures designed to ensure the security of information systems and non-public information from risks posed by third party service providers. For further information about the cybersecurity regulation, see a full list of key dates (set forth in 23 NYCRR 500.22) and answers to frequently asked questions.