As of today, Covered Entities are expected to be compliant with additional provisions under the New York State Department of Financial Services (NYDFS) cybersecurity regulation. A “Covered Entity” is any individual or non-governmental entity “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.” 23 NYCRR 500.01. The cybersecurity regulation became effective March 1, 2017, and Covered Entities had 180 days to become compliant, unless otherwise specified.

A year later, on March 1, 2018, Covered Entities were expected to be in compliance with requirements related to annual reporting by the Chief Information Security Officer (CISO) on the cybersecurity program and material cybersecurity risks, continuous monitoring or periodic penetration testing and vulnerability assessments, periodic risk assessments, multi-factor or risk-based authentication, and regular cybersecurity awareness training for all personnel.
Continue Reading September 4, 2018: NYDFS Cybersecurity Regulation Compliance date arrives